PKC-PC: A Variant of the McEliece Public Key Cryptosystem based on Polar Codes
Reza Hooshmand, Masoumeh Koochak Shooshtari, Mohammad Reza Aref
1 Abstract — Polar codes are novel and efficient error correcting codes with low encoding and decoding complexities. These codes have a channel dependent generator matrix which is determined by the code dimension, code length and transmission channel parameters. This paper studies a variant of the McEliece public key cryptosystem based on polar codes, called “PKC-PC”. Due to the fact that the structure of polar codes’ generator matrix depends on the parameters of channel, we used an efficient approach to conceal their generator matrix. Then, by the help of the characteristics of polar codes and also introducing an efficient approach, we reduced the public and private key sizes of the PKC-PC and increased its information rate compared to the McEliece cryptosystem. It was shown that polar codes are able to yield an increased security level against conventional attacks and possible vulnerabilities on the code-based public key cryptosystems. Moreover, it is indicated that the security of the PKC-PC is reduced to solve NP-complete problems.
Compared to other post-quantum public key schemes, we believe that the PKC-PC is a promising candidate for NIST post-quantum crypto standardization.
Index Terms—
Channel Coding, McEliece Cryptosystem, Polar Codes, Public Key Cryptography I. I NTRODUCTION AND M OTIVATION T has been revealed that the conventional used public key cryptosystems, whose security are based on the difficulty of discrete logarithm or factoring problems, are broken by the quantum computers in polynomial-time [1]. One of the important categories of cryptosystems which can resist quantum computer-based attacks is code-based cryptosystems. These kinds of cryptosystems can be considered as alternatives to the conventional public key cryptosystems, such as RSA and ElGamal [2]. The security of most of these cryptosystems relies on the hardness of some conventional problems in coding theory [3]. For example, it was previously shown that the decoding of a linear code with no clear structure is NP-complete problem [4]. The first public key The material in this paper was presented in part at the Eleventh International ISC Conference on Information Security and Cryptology (ISCISC 2014), Tehran, Iran, September 2014. This work was supported in part by
Iranian National Science Foundation (INSF) under Grant 92.32575. Reza Hooshmand is with the Department of Electrical Engineering, Shahid Sattari Aeronautical University of Science and Technology, Tehran 1384663113, Iran (e-mail: [email protected]). Masoumeh Koochak Shooshtari is with the Faculty of Electrical Engineering, K. N. Toosi University of Technology, Tehran 16315-1355, Iran (e-mail: [email protected]). Mohammad Reza Aref is with the Department of Electrical Engineering, Sharif University of Technology, Tehran 11365/8639, Iran, (e-mail: [email protected]) code-based cryptosystem originally proposed based on the binary Goppa codes is McEliece cryptosystem [5]. This cryptosystem applies a binary Goppa codes’ generator matrix, a scrambling matrix, and a permuting matrix as the private key. The scrambling and permuting matrices are employed to convert the private key into the public matrix. The McEliece cryptosystem applies the generator matrix and encodes the information vector into the public code’s codewords. Compared to the conventional public key cryptosystems, McEliece cryptosystem has low complexity encryption/ decryption algorithms. Nevertheless, due to the use of binary Goppa codes, this cryptosystem has two major weaknesses [6]: (i) low transmission rate, and (ii) huge key size. One of efficient approaches to resolve the weaknesses of McEliece cryptosystem is exchanging binary Goppa codes with the other linear block codes. However, such replacement can yield serious flaws in its security level. Thus far, several schemes have been proposed to dominate the weaknesses of McEliece scheme by exchanging the Goppa codes with the different linear codes such as generalized Reed–Solomon (GRS) codes [7], Reed–Muller codes [8], quasi cyclic low density parity check (QC-LDPC) codes [9-11], wild Goppa codes [12, 13], p-adic Goppa codes [11, 14], moderate density parity check (MDPC) codes [15, 16], convolutional codes [17] and more recently low density lattice codes (LDLCs) [18]. Some of these suggested yields decrease the public key length while keeping the same security level against the conventional attacks. However, most of them exposed the McEliece cryptosystem to security threats and yield serious flaws in its security level. For example, public key schemes based on GRS and Reed-Muller codes were broken in [19] and [20], respectively. A number of versions of LDPC code-based schemes [9, 10] have been successfully cryptanalyzed with efficient attacks in [21, 22]. Some of the parameters that can be found in public key schemes based on wild Goppa codes [12, 13] have been successfully cryptanalyzed in [23, 24]. In addition, the convolutional code-based scheme [17] was successfully cryptanalyzed by Landais and Tillich in [25]. Moreover, the cryptosystems based on p-adic Goppa codes [11, 14] were broken in [26]. Polar codes [27] are novel family of codes which, by the help of successive cancellation (SC) decoding, can attain the information theoretic bounds in channel coding. Up to now, by applying the properties of polar codes, many attempts have been made to achieve secrecy in information theoretic security [28]. However, several researches have been carried out in recent years to introduce the polar code-based cryptographic
PKC-PC: A Variant of the McEliece Public Key Cryptosystem based on Polar Codes
Reza Hooshmand, Masoumeh Koochak Shooshtari, and Mohammad Reza Aref I 𝑘 rows from an 𝑛 × 𝑛 square matrix. The advantage of random selection in this method is that the opponent cannot obtain the needed data to decode the predetermined polar codeword. In addition, by exploiting the properties of polar codes, we use the encryption matrix of the PKC-PC in systematic form. Moreover, the nonsingular matrix is obtained from the generator matrix of employed polar code. These proceedings yield a reduction in the private and public key sizes and also have an increment in the security level. The rest of this paper is organized as follows. Section II describes the characteristics of polar codes. We discuss the idea of applying polar codes in the construction of the PKC-PC in Section III. Moreover, the design issues of our scheme are explained. The efficiency level of the PKC-PC is assessed in Section IV. In fact, we compute the error performance, key size and the computational complexity of the PKC-PC and then compare it with original McEliece and other McEliece-like schemes. To investigate the security level, we consider the security reduction in Section V. Also, we show that the PKC- PC has high enough security level by choosing the proper values of the parameters. Finally, the conclusion of this paper is presented in Section VI. II. P OLAR C ODES
Polar codes are very powerful category of linear codes that demonstrably attain any Binary-input Discrete Memoryless Channel’s (B-DMC) capacity, e.g., Binary Erasure Channel (BEC) [27] and Binary Symmetric Channel (BSC). Let
𝑊 ∶ 𝒳 → 𝒴 be a B-DMC. Consider
𝒳 = {0, 1} as an input alphabet, 𝒴 as an output alphabet and {𝑊(𝒚|𝒙), 𝒙 ∈ 𝒳, 𝒚 ∈ 𝒴} as the transition probabilities of 𝑊 . Let us consider 𝐼(𝑊) ≜∑ ∑ 𝑊(𝒚|𝒙)log 𝒙 ∈ 𝒳𝒚∈𝒴 𝑊(𝒚|𝒙) 𝑊(𝒚|0)+ 𝑊(𝒚|1) and
𝑍(𝑊) ≜ ∑ √𝑊(𝒚|0)𝑊(𝒚|1) 𝒚∈𝒴 for 𝑊 , where 𝐼(𝑊) ∈ [0, 1] is called the capacity for 𝑊 and hence performed for measuring the rate. Also, 𝑍(𝑊) ∈ [0, 1] is called the Bhattacharyya parameter of 𝑊 and applied to measure the reliability. In this case, 𝐼(𝑊 ) ≈ 1 iff
𝑍(𝑊) ≈ 0 , also
𝐼(𝑊 ) ≈ 0 iff
𝑍(𝑊) ≈ 1 . If 𝑊 is a BEC with erasure probability 𝜖 , i.e., BEC( 𝜖 ), then we have 𝑍(𝑊) = 𝜖 and
𝐼(𝑊) = 1 − 𝑍(𝑊) = 1 − 𝜖 . Let {𝑊 𝑛(𝑖) : 1 ≤ 𝑖 ≤ 𝑛} be a set of polarized channels, called sub-channels or bit-channels, with indices ʻ 𝑖 ʼ that are obtained by applying the channel polarization process on the 𝑛 independent copies of a B-DMC 𝑊 . If 𝑛 is large enough, the 𝑛 sub-channel’s capacities {𝐼 (𝑊 𝑛(𝑖) ) , 1 ≤ 𝑖 ≤ 𝑛} and the 𝑛 sub-channel’s Bhattacharya parameters {𝑍 (𝑊 𝑛(𝑖) ) , 1 ≤ 𝑖 ≤ 𝑛} will be or . Let ℐ 𝑛 = {𝑖, 1 ≤ 𝑖 ≤ 𝑛} be an 𝑛 sub-channel indices set. Consider 𝒜 ⊂ ℐ 𝑛 as a 𝑘 -element information set and 𝒜 𝑐 ⊂ ℐ 𝑛 as an (𝑛 − 𝑘) -element frozen (fixed) set. For all 𝑖 ∈ 𝒜, 𝑗 ∈ 𝒜 𝑐 , we have 𝑍 (𝑊 𝑛(𝑖) ) ≤ 𝑍 (𝑊 𝑛(𝑗) ) and 𝐼 (𝑊 𝑛(𝑖) ) ≥ 𝐼 (𝑊 𝑛(𝑗) ) . In fact, for 𝑛 sub-channels, 𝑛𝐼(𝑊) sub-channels (with indices in 𝒜 ) become noiseless or reliable and 𝑛(1 − 𝐼(𝑊 )) sub-channels (with indices in 𝒜 𝑐 ) become unreliable or noisy [27]. A. Constructing the Generator and Parity-Check Matrices
Consider 𝑛 = 2 𝑚 , 𝑚 ≥ 1 and 𝐺 = [1 01 1] . Also, consider the 𝑚 -th Kronecker product 𝐺 which yields an 𝑛 × 𝑛 matrix. One interesting property of matrix 𝐺 for polar codes is shown in Remark 1 [36]: Remark 1:
Let (𝐺 𝑛 ) 𝒜𝒜 denotes the submatrix of 𝐺 𝑛 consisting of the array of elements 𝐺 𝑖,𝑗 , 𝑖, 𝑗 ∈ 𝒜 . Any submatrix (𝐺 𝑛 ) 𝒜𝒜 , 𝒜 ⊂ {1, ⋯ , 𝑛} is also a lower-triangular matrix and has 1s on the diagonal, so it is also nonsingular (invertible). Given the rate
𝑅 < 𝐼(𝑊) and dimension 𝑘 = 𝑛𝑅 , a 𝑘 × 𝑛 generator matrix 𝐺 𝒜 is obtained for any polar code of length 𝑛 and dimension 𝑘 with the subsequent steps [37] : 1) First, the rows of 𝐺 𝑛 are labeled from the first to the last row as 𝑖 = 1, 2,· · · , 𝑛 . For BEC ( 𝜖 ), 𝑍 (𝑊 𝑛(𝑖) ) , are obtained as follows: (i) ∀1 ≤ 𝑖 ≤ 𝑙 , 𝑙 = 1, 2, 2 , ⋯ , 2 𝑚−1 𝑍 (𝑊 ) = 2𝑍 (𝑊 𝑙(𝑖) ) − 𝑍 (𝑊 𝑙(𝑖) ) ; (ii) ∀𝑘 + 1 ≤ 𝑖 ≤ 2𝑙 , 𝑍 (𝑊 ) = 𝑍 (𝑊 𝑙(𝑖−𝑙) ) . A permutation 𝜋 𝑛 = (𝑖 , . . . , 𝑖 𝑛 ) is 3 formed for 𝑛 sub-channel indices set ℐ 𝑛 = {1, 2, ⋯ , 𝑛} such that 𝑍 (𝑊 𝑛(𝑖 𝑗 ) ) ≤ 𝑍 (𝑊 𝑛(𝑖 𝑘 ) ) , . The information set
𝒜 ⊂ ℐ 𝑛 is obtained whose indices of sub-channels correspond to 𝑘 leftmost indices in 𝜋 𝑛 , i.e., 𝑖 , . . . , 𝑖 𝑘 . The 𝑘 × 𝑛 generator matrix 𝐺 𝒜 is obtained by choosing 𝑘 rows of 𝐺 𝑛 related to the information set indices 𝒜 . The frozen set 𝒜 𝑐 ⊂ ℐ 𝑛 is obtained whose indices of sub-channels correspond to ( 𝑛 − 𝑘) rightmost indices in 𝜋 𝑛 , i.e. 𝑖 𝑘+1 , 𝑖 𝑘+2 , . . . , 𝑖 𝑛 . The (𝑛 − 𝑘) × 𝑛 frozen matrix 𝐺 𝒜 𝑐 is generated by choosing ( 𝑛 − 𝑘) rows of 𝐺 𝑛 related to the frozen indices set 𝒜 𝑐 . In the (𝑛, 𝑘) non-systematic polar codes, an input vector 𝒖 = (𝑢 , 𝑢 , ⋯ , 𝑢 𝑛 ) = (𝒖 𝒜 , 𝒖 𝒜 𝑐 ) consists of 𝑘 -bit information subvector 𝒖 𝒜 = (𝑢 𝑖 , 𝑖 ∈ 𝒜) and (𝑛 − 𝑘) - bit frozen (fixed) subvector 𝒖 𝒜 𝑐 = (𝑢 𝑖 , 𝑖 ∈ 𝒜 𝑐 ) . The information subvector 𝒖 𝒜 consists of information data that can be changed in transmission process. The frozen subvector consists of fixed values known to decoder [36]. Polar codes are defined in terms of an invertible map 𝐺 𝑛 via 𝒙 = 𝒖𝐺 𝑛 . The matrix 𝐺 𝑛 = 𝐵 𝑛 𝐺 , where 𝐵 𝑛 is a bit-reversal permutation matrix defined in [27]. The construction of polar codes’ parity check matrix is characterized as the lemma 1 [38]: Lemma 1:
Let 𝒜 be an information set and let 𝒜 𝑐 be a frozen set of an (𝑛, 𝑘) polar code. Let 𝐺 𝑛 = 𝐵 𝑛 𝐺 be an 𝑛 × 𝑛 matrix consist of the generator matrix 𝐺 𝒜 and the frozen matrix 𝐺 𝒜 𝑐 . Also, assuming that frozen vector 𝒖 𝒜 𝑐 is all-zero vector. In this case, the parity check matrix 𝐻 𝑛×𝑟 , 𝑟 = 𝑛 − 𝑘 is constructed by selecting the columns of 𝐺 𝑛 with indices in 𝒜 𝑐 . Proof . Similar to the Lemma 1’s proof in [38]. B. Polar Encoding
In the polar encoding process, the input vector 𝒖 =(𝒖 𝒜 , 𝒖 𝒜 𝑐 ) is converted to 𝑛 - bit codeword 𝒙 = 𝒖 𝒜 𝐺 𝒜 +𝒖 𝒜 𝑐 𝐺 𝒜 𝑐 = 𝒖 𝒜 𝐺 𝒜 + 𝑐 , where 𝑐 ≜ 𝒖 𝒜 𝑐 𝐺 𝒜 𝑐 is a fixed vector. The code rate is obtained as 𝑅 = |𝒖 𝒜 | |𝒙|⁄ = |𝒜| 𝑛⁄ . The information vector is sent across the noiseless sub-channels at a rate close to one. In addition, the frozen (fixed) vector is sent across the noisy sub-channels at a rate close to zero [27]. C. Successive Cancelation (SC) Decoding
Consider 𝒙 as an 𝑛 -bit polar code’s codeword that is sent along the 𝑛 sub-channels. Consider 𝒚 = 𝑦 as a related channel output vector. The main aim of SC decoding is to compute the evaluated input vector 𝒖̂ using information set 𝒜 , frozen vector 𝒖 𝒜 𝑐 and channel output vector 𝒚 . In fact, for 𝑊 𝑛(𝑖) , 𝑖 = 1, 2, ⋯ , 𝑛 , the SC decoding computes the likelihood ratio (LR) of bits of input vector 𝑢 𝑖 given 𝒚 and the past obtained information bits 𝑢̂ as 𝐿 𝑛(𝑖) = 𝑊 𝑛(𝑖) (𝑦 ,𝑢̂ |𝑢 𝑖 =0)𝑊 𝑛(𝑖) (𝑦 ,𝑢̂ |𝑢 𝑖 =1) . The input vector bits are obtained with the help of SC decoding as follows: (i) ∀𝑖 ∈ 𝒜 𝑐 , 𝑢̂ 𝑖 = 𝑢 𝑖 ; (ii) ∀𝑖 ∈ 𝒜 , 𝑢̂ 𝑖 = ℎ 𝑖 (𝑦 , 𝑢̂ ) . The decision functions ℎ 𝑖 : 𝒴 𝑛 × 𝒳 𝑖−1 → 𝒳 , 𝑖 ∈ 𝒜 are obtained for all 𝑦 ∈ 𝒴 𝑛 , 𝑢̂ ∈ 𝒳 𝑖−1 as follows: (i) ∀ 𝐿 𝑛(𝑖) ≥ 1 , ℎ 𝑖 (𝑦 , 𝑢̂ ) = 0 and (ii) otherwise, ℎ 𝑖 (𝑦 , 𝑢̂ ) = 1 . The upper bound on error probability with the SC decoder is obtained as 𝑃 𝑒 ≤ ∑ 𝑍 (𝑊 𝑛(𝑖) ) 𝑖∈𝒜 for any B-DMC 𝑊 [27]. Moreover, it is shown that reliable communication can be achieved under SC decoding by satisfying the inequality (1) [39], 𝑅 < 𝐼(𝑊) − 𝑛 −1 𝜇⁄ , (1) where 𝜇 is named scaling exponent and its values depend on the channel type. For example, we have 𝜇 ≈ 3.627 for BEC . The maximum possible 𝑅 satisfying (1) is called cutoff rate and shown by 𝑅 . III. T HE P ROPOSED P OLAR C ODE - BASED P UBLIC K EY S CHEME
Here, first efficient techniques are presented to categorize the sub-channels and also conceal the polar codes’ generator matrix. Then, we explain the construction of the PKC-PC. A. Good and Bad Sub-Channels
For the PKC-PC, we categorize all 𝑛 sub-channels {𝑊 𝑛(𝑖) : 1 ≤ 𝑖 ≤ 𝑛} into good and bad sub-channels as definitions 1 and 2 [29]: Definition 1 . The 𝑛𝑅 sub-channels are considered as good sub-channels if they have minimum Bhattacharya parameters among all 𝑛 sub-channels, i.e., minimum error probability. The good sub-channels’ indices are related to the 𝑛𝑅 leftmost indices of 𝜋 𝑛 and shown as 𝒢 𝑛 (𝑊, 𝑅 ) = {𝑖 ∈ ℐ 𝑛 : 𝜋 𝑛 (𝑖) ∈{𝑖 , 𝑖 , ⋯ , 𝑖 𝑛𝑅 }} . ■ Definition 2 . The 𝑛(1 − 𝑅 ) sub-channels are considered as bad sub-channels if they have maximum Bhattacharya parameters among all 𝑛 sub-channels, i.e., maximum error probability. The bad sub-channels’ indices are related to the 𝑛(1 − 𝑅 ) rightmost indices of 𝜋 𝑛 and shown as ℬ 𝑛 (𝑊, 𝑅 ) ={𝑖 ∈ ℐ 𝑛 : 𝜋 𝑛 (𝑖) ∈ {𝑖 𝑛𝑅 +1 , 𝑖 𝑛𝑅 +2 , ⋯ , 𝑖 𝑛 }} . ■ In the PKC-PC, we consider the transmission over the noiseless insecure channel. In this case, all 𝑛 sub-channels are considered as the good sub-channels. Therefore, we can use high transmission rate, e.g. , in the PKC-PC. In fact, the information rate of PKC-PC is increased significantly compared to the McEliece cryptosystem. B. Concealing the Generator Matrix
To hide the polar codes’ generator matrix, an efficient approach is being proposed in the following steps by which an adversary cannot obtain the concealed polar codes’ generator matrix: 1)
First, 𝑘 indices are chosen randomly from 𝒢 𝑛 (𝑊, 𝑅 ) . In fact, this process is related to the random selection of 𝑘 sub-channels from the set of good sub-channels. The arbitrarily 𝑘 chosen indices from 𝒢 𝑛 (𝑊, 𝑅 ) are named as the secret information set and shown by 𝒜(𝑠) . The secret generator matrix , 𝐺 𝒜(𝑠) , is constructed as a 𝑘 × 𝑛 submatrix of 𝐺 𝑛 with 𝑘 selected rows corresponding to 𝒜(𝑠) . The secret frozen set , 𝒜 𝑐 (𝑠) , is a subset of ℐ 𝑛 whose ( 𝑛 − 𝑘) indices are not selected from ℐ 𝑛 in step 1. Also, the secret frozen matrix 𝐺 𝒜 𝑐 (𝑠) is constructed as an 4 (𝑛 − 𝑘) × 𝑛 submatrix of 𝐺 𝑛 whose rows are selected related to 𝒜 𝑐 (𝑠) . In this way, the secret generator matrix 𝐺 𝒜(𝑠) cannot be recovered by the adversary even if 𝜖 , 𝑛 and 𝑘 are known. In fact, by concealing the 𝐺 𝒜(𝑠) , the attacker cannot recover the estimated input vector 𝒖̂ from the channel output vector 𝒚 in polynomial-time. Fig. 1 shows the proposed concept of concealing the generator matrix and encoding to enhance the security based on an (𝑛, 𝑘) polar code. Good sub-channels 𝑛 𝑘 randomlyselected goodsub-channels 𝑛 − 𝑘 remained sub-channels (a) Frozen (Fixed) vector Secret Information Vector 𝑘 randomly chosen good sub-channels 𝑥 𝑥 𝑥 𝑛 𝑛 − 𝑘 remained sub-channels Codeword (b)
Fig. 1. The idea of providing security and encoding based on an (𝑛, 𝑘) polar code. (a) The 𝑘 sub-channels are randomly chosen from 𝑛 good sub-channels. (b) The secret information vector is sent through 𝑘 randomly chosen good sub-channels. Moreover, the fixed bits (zeros) are sent across (𝑛 − 𝑘) non-selected sub-channels. As observed in Fig. 1(a), 𝑘 sub-channels are arbitrarily chosen from the good sub-channels to conceal the generator matrix 𝐺 𝒜(𝑠) . The idea in Figure 1(b) is to transmit the secret information vector, denoted by 𝒖 𝒜(𝑠) , across 𝑘 randomly chosen good sub-channels while transmitting the fixed vector, denoted by 𝒖 𝒜 𝑐 (𝑠) , through the ( 𝑛 − 𝑘) remained sub-channels. Since the error performance of polar codes does not depend on the case in which 𝒖 𝒜 𝑐 (𝑠) is chosen, it makes no difference how this vector is selected. Hence, an ( 𝑛 − 𝑘) -bit all-zero vector is considered as 𝒖 𝒜 𝑐 (𝑠) in the encrypting/decrypting algorithms of the PKC-PC to make its simplified structure. C. Key Generation
The key generating algorithm performs as follows: 1)
A secret generator matrix 𝐺 𝒜(𝑠) is generated (see Sec. III.B). 2) A 𝑘 × 𝑘 scrambling matrix 𝑆 is generated by extracting a submatrix (𝐺 𝑛 ) 𝒜(𝑠)𝒜(𝑠) from 𝐺 𝑛 (see Sec. III.B). 3) An 𝑛 × 𝑛 binary permuting matrix 𝑃 = [𝑃 ′ |𝑃 ′′ ] is generated. In this case, 𝑃 ′ is the 𝑛 × 𝑘 submatrix in which 𝑘 ‘1’s are respectively placed, one in each of 𝑗 -th, 𝑗 ∈ 𝒜(𝑠) rows of its 𝑘 columns. In addition, 𝑃 ′′ is the 𝑛 × (𝑛 − 𝑘) submatrix whose (𝑛 − 𝑘) ‘1’s are randomly placed in its (𝑛 − 𝑘) columns such that by evaluating the positions of 1s in 𝑃 𝑛×𝑘′ , the permuting property of 𝑃 𝑛×𝑛 is preserved. 4) The encryption matrix is constructed as 𝐺 ′ = 𝑆 −1 𝐺 𝒜(𝑠) 𝑃 . D. Private Key
The set of private key is 𝒦 𝑠𝑒𝑐 = {𝒜 𝒸 (𝑠), 𝑃} . In the PKC-PC, given that the construction of 𝐺 𝒜(𝑠) and 𝑆 are based on 𝒜(𝑠) , it is possible to save
𝒜(𝑠) instead of 𝐺 𝒜(𝑠) and 𝑆 . Also, the set 𝒜 𝒸 (𝑠) is complement to 𝒜(𝑠) and needs less memory to store, hence it is enough to save 𝒜 𝒸 (𝑠) instead of 𝒜(𝑠) . This concept dramatically leads to reduction of the private key length (see Sec. IV.B). Another element of 𝒦 𝑠𝑒𝑐 is the permutation matrix 𝑃 𝑛×𝑛 whose construction is defined in Sec. III.C. E. Public Key
The public key is obtained as 𝒦 𝑝𝑢𝑏 = 𝐺 ′ = 𝑆 −1 𝐺 𝒜(𝑠)
𝑃 =𝑆 −1 𝐺 ′′ , where 𝐺 ′′ = 𝐺 𝒜(𝑠) 𝑃 is a 𝑘 × 𝑛 matrix. Each of 𝑘 leftmost columns of 𝐺 𝒜(𝑠) are ordered related to 𝑗 ∈ 𝒜(𝑠) indices by multiplying 𝐺 𝒜(𝑠) and permuting matrix 𝑃 together. In such way, 𝐺 ′′ = [𝑆|𝐺 ′′′ ] includes two submatrices: a 𝑘 × 𝑘 nonsingular submatrix 𝑆 = (𝐺 𝑛 ) 𝒜(s)𝒜(s) and a 𝑘 × (𝑛 − 𝑘) submatrix 𝐺 ′′′ . Hence, the public key is obtained as a 𝑘 × 𝑛 matrix 𝒦 𝑝𝑢𝑏 = 𝑆 −1 𝐺 ′′ = [𝐼 𝑘 |𝑄] , where 𝐼 𝑘 is a 𝑘 × 𝑘 identity submatrix and 𝑄 = 𝑆 −1 𝐺 ′′′ is a 𝑘 × (𝑛 − 𝑘) submatrix. With the help of this method, the required memory to save the public key 𝒦 𝑝𝑢𝑏 is 𝑘(𝑛 − 𝑘) bits instead of 𝑘𝑛 bits. In fact, it suffices to store 𝑘 × (𝑛 − 𝑘) matrix 𝑄 instead of 𝒦 𝑝𝑢𝑏 . In this way, the large key length problem of the McEliece cryptosystem can be solved. It should be noted that in this case, the memory requirement of 𝒦 𝑝𝑢𝑏 is further reduced by increasing the information rate. Also, by employing the CCA2-secure Kobara-Imaiʼs 𝛾 -conversion [40] for the PKC-PC, the systematic encryption matrix 𝐺 ′ does not decrease its security level against adaptive chosen ciphertext attacks. F. Encryption
Bob first randomly selects a code in the family of equivalent (𝑛, 𝑘) polar codes by randomly choosing 𝑘 indices from the good sub-channel indices. Then, he considers the indices of 𝑘 selected good sub-channels as 𝒜(𝑠) and constructs 𝐺 𝒜(𝑠) for the selected polar code. Also, he constructs two other secret matrices; a 𝑘 × 𝑘 scrambling matrix 𝑆 and an 𝑛 × 𝑛 permuting matrix 𝑃 as in the aforementioned processes in Sec. III.C. In addition, Bob generates a public key as 𝐺 ′ = 𝑆 −1 𝐺 𝒜(𝑠) 𝑃 . Besides, Alice obtains 𝐺 ′ from the public directory and separates the message into 𝑘 -bit blocks 𝒎 . At last, Alice performs the encryption algorithm as 𝒄 = 𝒎𝐺 ′ + 𝒆 , where 𝒆 is an arbitrary error vector such that 𝑤 𝐻 (𝒆) < 𝑡 . G. Decryption
The ciphertext 𝒄 is decrypted according to the following steps: 1) First, 𝒄 ′ = 𝒄𝑃 −1 = 𝒎𝑆 −1 𝐺 𝒜(𝑠) + 𝒆𝑃 −1 is computed, where 𝑃 −1 is the inverse of the permutation matrix 𝑃 . Given that 𝑃 is a permutation matrix, we have 𝑤 𝐻 ( 𝒆𝑃 −1 ) = 𝑤 𝐻 ( 𝒆 ) . 5 Therefore, 𝒄 ′ = 𝑐 ′1𝑛 is a codeword in the polar code previously chosen and Bob can correct the intentional errors with the help of SC decoding to recover 𝒎𝑆 −1 . Since 𝒖 𝒜 𝑐 (𝑠) is full-zero vector, the set {𝒜(𝑠), 𝒄 ′ } is noticed as the SC decoder’s input (See Fig. 2). 2) The input vector of encoder, 𝒖 = (𝒖
𝒜(𝑠) , 𝒖 𝒜 𝑐 (𝑠) ) =(𝒎𝑆 −1 , 0) , is evaluated with the help of the SC decoding as follows: (i) ∀𝑖 ∈ 𝒜 𝑐 (𝑠) , 𝑢̂ 𝑖 = 0 ; (ii) ∀𝑖 ∈ 𝒜(𝑠) , 𝑢̂ 𝑖 =ℎ 𝑖 (𝑐 ′1𝑛 , 𝑢̂ ) . In this case, the hard decision function ℎ 𝑖 is defined as: (i) ∀ 𝑊 𝑛(𝑖) (𝑐 ′1𝑛 ,𝑢̂ |𝑢 𝑖 =0)𝑊 𝑛(𝑖) (𝑐 ′1𝑛 ,𝑢̂ |𝑢 𝑖 =1) ≥ 1 , ℎ 𝑖 (𝑐 ′1𝑛 , 𝑢̂ ) = 0 ; (ii) otherwise, ℎ 𝑖 (𝑐 ′1𝑛 , 𝑢̂ ) = 1 . In other words, if the index 𝑖 of 𝑊 𝑛(𝑖) is not in the secret information set 𝒜(𝑠) , then the decoder knows that 𝑢̂ 𝑖 = 𝑢 𝑖 = 0 . 3) After the SC decoder maps 𝒄 ′ into 𝒖̂ = 𝑢̂ , Bob can obtain the message as 𝒎 = 𝒖 𝒜(𝑠) 𝑆 . As shown in the above steps, 𝒜(𝑠) is needed to execute the SC decoding. Therefore, it is impossible for any adversary to correct the intentional errors without knowing
𝒜(𝑠) . Fig. 2 shows the block diagram of the PKC-PC.
Alice SCDecoderInsecureNoiseless Channel BobEncoderEncryptor Decryptor 𝑮 ′ = 𝑺 −𝟏 𝑮 𝓐(𝒔) 𝑷 𝓐(𝒔) 𝑷 −𝟏 𝑺 𝒄 𝒆 𝑮 ′ 𝒎 𝒎 𝒄 𝒖 𝓐(𝒔) 𝒄 ′ Fig. 2.
Flowchart of the PKC-PC.
IV. E FFICIENCY A SSESSMENT
In this section, we measured the error performance, the key size and the computational complexity to evaluate the PKC-PC’s efficiency level. A. Error Performance
As mentioned in Sec. II., the SC decoder estimates the value of 𝑖 -th input bit, denoted by 𝑢̂ 𝑖 , given the received vector 𝒚 = 𝑦 and the prior evaluated input bits 𝑢̂ , 𝑢̂ , ⋯ , 𝑢̂ 𝑖−1 [27]. Therefore, to investigate the Hamming weight’s upper bound of 𝒆 , the worst case in terms of error correction capability is considered for the SC decoding, i.e., when the erasure burst has occurred. Theorem [41]:
Consider a polar code of length 𝑛 = 2 𝑚 , which is constructed for transmission over a BSM channel 𝑊 . In this case, if an erasure burst of length at least occurs, the SC decoder always fails to obtain the estimated message with probability of at least . Proof . In [41].
The aforementioned theorem makes an upper bound on the error correction capability. For instance, in the PKC-PC, using polar code of length 𝑛 = 1024 under SC decoding, the Hamming weight’s upper bound of 𝒆 is equal to 63. B. Key Size
In this section, we measure the public and private key lengths of the PKC-PC by using (1024, 768) polar code as follows: 1) In the CCA2-secure variants, the encryption matrix can be considered in the systematic form which occupies 𝑘(𝑛 − 𝑘) bits instead of 𝑘𝑛 bits. As the PKC-PC is CCA2-secure (see Sec. VI.D), we can exploit the systematic encryption matrix 𝒦 𝑝𝑢𝑏 = 𝑆 −1 𝐺 𝒜(𝑠)
𝑃 = [𝐼 𝑘 |𝑄] as the public key. In this case, the public key length ℳ 𝑝𝑢𝑏 is approximately equal to kbytes . The PKC-PC’s private key includes a set {𝒜 𝒸 (𝑠), 𝑃} , in which 𝒜 𝑐 (𝑠) is stored instead of 𝐺 𝒜(𝑠) and 𝑆 . The maximum sub-channel index, i.e., 𝑛 = 1024 , may be in 𝒜 𝒸 (𝑠) which requires 10 bits to store in binary. Therefore, the required memory to save 𝒜 𝒸 (𝑠) is computed as ℳ 𝒜 𝒸 (𝑠) ≤ 10(𝑛 − 𝑘) = 2.56 kbits. The required memory to save 𝑃 𝑛×𝑛 is obtained as ℳ 𝑃 = 𝑛(𝑛 − 𝑘) = 32.77 kbits. Hence, the private key length’s upper bound is computed as ℳ 𝑝𝑟𝑖 = ℳ 𝒜 𝒸 (𝑠) + ℳ 𝑃 ≤ 32.77 kbytes. Table I compares the number of equivalent codes ( 𝒩 𝐶 ), ℳ 𝑝𝑢𝑏 , 𝑅 and the upper bound on 𝑊 𝐻 (𝒆) of PKC-PC with the McEliece scheme. It is obvious that although PKC-PC has larger 𝑅 and 𝑘 , but its ℳ 𝑝𝑢𝑏 is smaller in comparison to the McEliece cryptosystem. Moreover, because of randomly choosing 𝑘 sub-channels among 𝑛 good sub-channels, the equivalent polar codes’ number with the proposed parameters is computed as 𝒩 𝐶 ≈ 2 (see Sec. VI.A), which is much larger than the equivalent Goppa codes’ number in the McEliece scheme. T ABLE
I C
OMPARING THE E FFICIENCY OF THE
PKC-PC
AND M C E LIECE S CHEME . C. Computational Complexity
The computational complexity of the PKC-PC includes two parts: (i) encryption complexity ( ∁ 𝐸𝑛𝑐 ); and (ii) decryption complexity ( ∁ 𝐷𝑒𝑐 ). Encryption is performed by computing the product 𝒎𝐺 ′ and then adding the intentional error vector 𝒆 . Therefore, the encryption complexity can be expressed as ∁ 𝐸𝑛𝑐 = ∁ 𝑚𝑢𝑙 (𝒎𝐺 ′ ) + ∁ 𝑎𝑑𝑑 (𝒆) , where ∁ 𝑚𝑢𝑙 (𝒎𝐺 ′ ) = 𝒪(𝑘(𝑛 − 𝑘)) is the complexity of multiplying 𝒎 by the systematic encryption matrix 𝐺 ′ = [𝐼 𝑘 |𝑄] . Note that by using CCA2-secure conversion, the encryption matrix can be put in systematic form. In this case, ∁ 𝑚𝑢𝑙 (𝒎𝐺 ′ ) is reduced from 𝒪(𝑘𝑛) to 𝒪(𝑘(𝑛 − 𝑘)) . Moreover, ∁ 𝑎𝑑𝑑 (𝒆) = 𝒪(𝑛) is the needed binary operations’ number for addition of 𝑛 -bit 𝒆 . Although for a CCA2-secure variant implementation, the complexity of applying some proper scrambling operations on 𝒎 before multiplication by 𝐺 ′ should be computed. The decryption Scheme McEliece [5] PKC-PC Code Goppa Polar (𝑛, 𝑘) (1024, 524) (256,192) (1024, 768) (1024, 921) 𝒩 𝐶 ≈ 2 ≈ 2 ≈ 2 ℳ 𝑝𝑢𝑏 kbytes kbytes kbytes kbytes 𝑅 Upper bound on 𝑊 𝐻 (𝑒) Patterson decoding SC decoding SC decoding SC decoding Security Level ∁ 𝐷𝑒𝑐 = ∁ 𝑚𝑢𝑙 (𝒄𝑃 −1 ) +∁ 𝑆𝐶 (𝒄 ′ ) + ∁ 𝑚𝑢𝑙 (𝒖 𝒜(𝑠) 𝑆) , where ∁ 𝑚𝑢𝑙 (𝒄𝑃 −1 ) = 𝒪(𝑛) is the needed binary operations’ number to perform the multiplication of 𝑛 -bit ciphertext 𝒄 by the inverse of 𝑃 . Also, the SC decoding’s complexity is computed as ∁ 𝑆𝐶 (𝒄 ′ ) =𝒪(𝑛𝑙𝑜𝑔𝑛) [27]. Furthermore, the number of required binary operations for multiplying the 𝑘 -bit vector 𝒖 𝒜(𝑠) = 𝒎𝑆 −1 by 𝑆 is computed as ∁ 𝑚𝑢𝑙 (𝒖 𝒜(𝑠)
𝑆) = 𝒪(𝑘 ) . V. F ORMAL S ECURITY A SSESSMENT
The security assessment of the PKC-PC is divided into two sections: (a) security reduction; (b) practical security. In this section, by using the security reduction proposed in [3, 42] for the original McEliece cryptosystem based on Goppa codes, we provide the reduction regarding the PKC-PC. We demonstrate the NP-completeness of some new variants of the hard decoding problem which are fitted to the specific polar codes’ parameters. In addition, we provide a reduction proof regarding the PKC-PC. It implies that an attacker that is able to attack the PKC-PC is able to solve the new variants of hard decoding problem with a similar effort. Consider 𝒞 as a binary polar code with length 𝑛 = 2 𝑚 . Consider 𝑡 as an error correcting capability of 𝒞 and 𝜔 as a positive integer whose magnitude is less than 𝑡 . In the presented system, the adversary is encountered to specify 𝒆 given a vector 𝒄 =𝒎𝐺 ′ + 𝒆 . Since the Hamming weight 𝜔 of intentional error vector 𝒆 is less than 𝑡 , the attacker performs a low weight word search algorithm to detect 𝒆 . In the sequel, we have shown that no proper algorithm exists to obtain 𝒆 by the adversary. As a matter of fact, PKC-PC’s security is reduced to solve the NP-complete problems, called polar parameterized syndrome decoding (PPSD) and polar parameterized codeword existence (PPCE). In fact, an NP-complete problem, called three-dimensional matching (TDM), is reduced to each of them. The PPSD and PPCE problems should be fixed to the (𝑛, 𝑘) polar codes’ properties, i.e., 𝑛 = 2 𝑚 , 𝑘 = 𝑛 𝑅⁄ and 𝑡 = 2√𝑛 − 1 . It is enough to prove that none of PPSD and PPCE can be solved efficiently to ensure that no efficient attacker exists against the PKC-PC. Let 𝒫 𝑛,𝑘 be the (𝑛, 𝑘) polar code family whose 𝑘 rows in their generator matrices are selected from the 𝑛 rows of 𝐺 𝑛 . Also, assuming that ℋ 𝑛,𝑟 is the set of all 𝑛 × 𝑟 matrices whose 𝑟 = 𝑛 − 𝑘 columns are selected from the columns of 𝐺 𝑛′ = [ 𝐺 𝒜(𝑠) 𝐺 𝒜 𝑐 (𝑠) ] . Problem 1 [3]. Three-Dimensional Matching (TDM) Instance: a subset
𝑈 ⊆ 𝑇 × 𝑇 × 𝑇 , where 𝑇 is a finite set. Question: is there a set
𝑊 ⊆ 𝑈 such that |𝑊| = |𝑇| , and no two elements of 𝑊 agree in any coordinate? Problem 2 [29]. Polar Parameterized Syndrome Decoding (PPSD)
Instance: the parameters ℋ 𝑛,𝑟 , 𝑟 = 𝑛 − 𝑘 , a matrix 𝐻 ∈ ℋ 𝑛,𝑟 , a vector 𝒔 ∈ 𝐹 and a nonnegetive integer 𝜔 = 2√𝑛 − 1 . Question: find 𝒚 ∈ 𝐹 with 𝑤 𝐻 (𝒚) = 2√𝑛 − 1 in such a way that 𝒚𝐻 = 𝒔 ? Proposition 1.
The PPSD problem is NP-complete.
Proof.
Inspired by the presented approaches in [3, 42] and by reducing the TDM problem to PPSD problem, it can be demonstrated that PPSD problem is NP-complete. Consider 𝐵 as an |𝑈| × |3𝑇| incidence matrix. Each row of 𝐵 includes three 1s, one for each of the coordinate in the corresponding triple. Therefore, detecting an effective solution for the TDM problem relates to being a set of |𝑇| rows whose addition in 𝐺𝐹(2) yields an all one vector. As illustrated in Fig. 3, the matrix 𝐵 is expanded to 𝐻 of size 𝑛 × 𝑟 . To perform such expansion, 𝑛 ′ = 𝑛 − |𝑈| full-zero rows and 𝑟 ′ = 𝑟 − 3|𝑇| full-zero columns is added to 𝐵 . Such extension is performed to put the matrix 𝐵 suitable for the properties of PPSD problem. 𝑛 ′ 𝑟 ′ |𝑈| 𝐻 = 𝐵 Fig. 3. Matrix 𝐻 [42] used to reduce TDM problem to PPSD problem. Now, assuming that a polynomial time algorithm exists which can solve any sample of PPSD problem. The matrix 𝐻 and the syndrome 𝒔 = (1, ⋯ , 1, 0, ⋯ , 0) consisting of ones followed by 𝑟 ′ zeros are the inputs of this algorithm. By executing this algorithm, we can realize in polynomial time whether the |𝑇| triple set in 𝐵 is a matching. When the |𝑇| = 2√𝑛 − 1 rows, the sum is the full-one vector is chosen from the |𝑈| top rows of 𝐻 . Solving a PPSD problem in a polynomial-time gives a polynomial solution for TDM problem. This implies a polynomial-time solution for every NP problem which in turn demonstrates that PPSD problem is NP-complete. ■ Problem 3 [29].
Polar Parameterized Codeword Existence (PPCE)
Instance: a binary matrix 𝐻 𝑛×𝑟 , 𝑛 = 2 𝑚 , 𝑟 = 𝑛 − 𝑘 and a positive integer 𝜔 = 2√𝑛 − 1 . Question: is there a codeword 𝒙 of Hamming weight at most 𝜔 = 2√𝑛 − 1 such that 𝒙𝐻 = 0 ? Proposition 2. the PPCE problem is NP-complete.
Proof.
To prove the NP-completeness of PPCE problem, first the matrix 𝐶 (Fig. 4-a) is constructed [42]. Then, by inserting 𝑛 ′′ = 𝑛 − 3|𝑇|(|𝑈| + 1) − |𝑈| full zero rows and 𝑟 ′′ = 𝑟 −3|𝑇|(|𝑈| + 1) full zero columns to matrix 𝐶 , it is expanded to matrix 𝐻 of size 𝑛 × 𝑟 (Fig. 4-b). This extension is performed to get 𝐵 fitted to the PPCE problem’s properties. As a matter of fact, 𝐶 is a (3|𝑇||𝑈| + 3|𝑇| + |𝑈|) × (3|𝑇||𝑈| + 3|𝑇|) matrix in which |𝑈| first rows include the matrix 𝐵 followed by copies of the identity matrix 𝐼 |𝑈| . Moreover, the last rows of 𝐶 include an identity matrix 𝐼 . Imagine that a polynomial-time algorithm exists which can solve any PPCE problem’s instance. Now, 𝐻 and 𝜔 = 2√𝑛 − 1 are considered as the PPCE problem’s input. 7 𝐵 𝐼 |𝑈| ⋯ 𝐼 |𝑈| 𝐼 |𝑈| 𝐶 = copies (a) 𝑛 ′′ 𝑟 ′′ 𝐻 = 𝐶 (b) Fig. 4. (a) Matrix 𝐶 [42] used to reduce TDM problem to Subspace Weights problem. (b). Matrix 𝐻 is applied to reduce TDM problem to PPCE problem. There is need to realize the word with Hamming weight + 4|𝑇| = 2√𝑛 − 1 . In this way, the height 𝑛 =(3|𝑇| + 4|𝑇| + 1) of 𝐻 is polynomial in |𝑇| and the extension from 𝐶 to 𝐻 is feasible. Moreover, seooppu that 𝒚 = (𝑦 , 𝑦 , ⋯ , 𝑦 , 0, ⋯ ,0) where 𝑛 ′′ rightmost coordinates are zeros in such a way that 𝒚𝐻 = 0 . Consider 𝒚 = (𝑦 , 𝑦 , ⋯ , 𝑦 |𝑈| ) and 𝒚 = (𝑦 |𝑈|+1 , 𝑦 |𝑈|+2 , ⋯ , 𝑦 ) as the 𝒚 ’s subvectors. According to Fig. 4 (a, b), it is evident that 𝑤 𝐻 (𝒚 ) = 𝑤 𝐻 (𝒚 𝐴) + 3|𝑇|𝑤 𝐻 (𝒚 ) . By adding 𝑤 𝐻 (𝒚 ) to both sides of this equation, we have 𝑤 𝐻 (𝒚) = 𝑤 𝐻 (𝒚 𝐴) +(3|𝑇| + 1)𝑤 𝐻 (𝒚 ) . In fact, 𝐻 (𝒚 𝐴) ≤ 3|𝑇| and 𝑤 𝐻 (𝒚 ) can be specified from 𝑤 𝐻 (𝒚) . When 𝑤 𝐻 (𝒚) is divided by , 𝑤 𝐻 (𝒚 𝐴) and 𝑤 𝐻 (𝒚 ) are the remainder and quotient, respectively. If 𝑤 𝐻 (𝒚) = 3|𝑇| + 4|𝑇| , we have 𝑤 𝐻 (𝒚 𝐴) = 3|𝑇| and 𝑤 𝐻 (𝒚 ) = |𝑇| . Hence the code with parity check matrix 𝐻 has a word of Hamming weight + 4|𝑇| if and only if the set of |𝑇| triples in 𝐵 has a matching [3]. In fact, a solution to the PPCE problem is a sum of + 3|𝑇| rows summing to 0. It is a solution to TDM problem and demonstrates that the PPCE problem is NP-complete. ■ Proposition 3.
Breaking the Polar variant of the McEliece cryptosystem is not easier than solving the decoding problem for a random code.
Proof.
This concludes from Propositions 1 and 2. ■ VI. P RACTICAL S ECURITY A SSESSMENT
In this section, we investigate the practical attacks against the PKC-PC. Generally, two types of practical attacks can be considered for the PKC-PC [43, 44]: (i) Structural attacks (key recovery attacks) whose aim is either at recovering the secret generator matrix 𝐺 𝒜(𝑠) of the employed polar code from the public key 𝐺 ′ = 𝑆 −1 𝐺 𝒜(𝑠) 𝑃 or also distinguishing the public key 𝐺 ′ from a random matrix (which invalidates the reduction proof); (ii) Decoding (message recovery) attacks whose aim is to decode a noisy codeword that contains a message 𝒎 without exploiting any obvious structure of the secret generator matrix 𝐺 𝒜(𝑠) . A. Brute Force Attack
Brute force attack is a kind of structural attack in which, all probable keys are searched and investigated consistently until the proper key is detected. However, this attack is doomed to fail if the space of private key set is large enough. Therefore, the secret code employed in the PKC-PC should be randomly chosen among a very large class of equivalent polar codes. The original McEliece cryptosystem using Goppa code, is immune against this attack. In the PKC-PC, due to random selection of 𝑘 sub-channels from 𝑛 good sub-channels, the equivalent (𝑛, 𝑘) polar codes’ number and its dual are obtained as 𝒩 𝒞 = (𝑛𝑘) and 𝒩 𝒞 ┴ = ( 𝑛𝑛 − 𝑘) , respectively. This approach produces very large set of equivalent polar codes. For example, given a (256, 192) polar code, 𝒩 𝒞 is approximately equal to . In addition, there are so many possibilities for the nonsingular and permutation matrices used in the PKC-PC. The number of binary nonsingular scrambler matrices is equal to the number of all possible submatrices 𝐺 𝑖,𝑗 of 𝐺 𝑛 with indices 𝑖, 𝑗 ∈ 𝒜(𝑠) , this means that 𝒩 𝑆 = 𝒩 𝒞 = (𝑛𝑘) . If 𝑛 and 𝑘 are properly chosen, 𝒩 𝒞 is large enough. In this case, an adversary cannot detect 𝐺 𝒜(𝑠) in polynomial-time. The number of binary permutation matrices 𝑃 𝑛×𝑛 is computed as 𝒩 𝑃 =𝒩 𝑃 ′ . 𝒩 𝑃 ′′ = (𝑛𝑘) × (𝑛 − 𝑘) . Table II shows the average number of equivalent polar codes, nonsingular and permutation matrices for various code lengths 𝑛 , dimension 𝑘 and rates 𝑅 =0.75 and
𝑅 = 0.9 . As shown in this table, due to the large parameters used in the PKC-PC, it is impossible to find 𝑆 , 𝑃 and 𝐺 𝒜(𝑠) in polynomial time. T ABLE
II T HE A VERAGE N UMBER OF E QUIVALENT P OLAR C ODES , N ONSINGULAR AND P ERMUTATION M ATRICES FOR V ARIOUS C ODE L ENGTHS , D IMENSIONS AND R ATES
AND . (𝑛, 𝑘) 𝑅 𝒩 𝒞 𝒩 𝑆 𝒩 𝑃 (256,192) (256,230) (512,384) (1024, 768) (2048, 1536) (4096, 3072) ≫ 2 B. Key Recovery Attack
In the distinguishing attack as a kind of algebraic attack, there is need to recognize the public key matrix from a randomly binary matrix by applying a distinguisher. This distinguisher, in its naive form can only invalidate the security reductions, and it can be more powerful if the distinguisher can reveal the hidden structure of the secret code. In [45], a deterministic distinguisher is proposed which is allowed to distinguish the matrix of a Goppa code from a random matrix. In fact, such distinguisher can solve Goppa code distinguishing (GCD) problem in polynomial-time for high code rates (near 1). The key ingredient of this method is an algebraic characterization of the key recovery problem and its idea is to consider the dimension of the solution space of a linearized system resulting from a particular polynomial system. We recall that the existence of such a distinguisher does not undermine the security of original McEliece cryptosystem. It is demonstrated that their security could not be reduced to the difficulty of random decoding of a linear code by means of GCD assumption. This kind of attacks, have better performance on some other cryptosystems using non binary Goppa codes [23, 24] and also generalized Reed Solomon (GRS) codes [44] since it leads to recovery of the secret codes. However, due to the following reasons, these distinguishing attacks are ineffective against the PKC-PC: (i) it is unable to recognize the public key matrix of the PKC-PC from a randomly generated one, i.e., public key is resistant to this attack, because the public key 𝐺 ′ is not the generator matrix of polar codes. This is because of multiplying 𝑆 −1 to 𝐺 𝒜(𝑠) 𝑃 ; (ii) the recognizer cannot work on subspaces of the code, hence it is impossible to detect the subspace that the attacker needs. In [35], Bardet et al. present a new key recovery attack by which Shrestha-Kim [34] polar code-based public key cryptosystem is broken. In fact, a new family of codes, called decreasing monomial codes, is suggested which consists as a special case, Reed-Muller codes and Polar codes. By means of these codes, low weight codewords in underlying polar code and its dual are obtained. Moreover, it is possible to recover the permuted polar code by enhancing all the information required for decrypting any message. It is shown that the code equivalence problem for binary polar codes can be solved e ffi ciently by a more complicated algorithm with the help of the following four steps: The first step is searching for minimum weight codewords using Stern [46] and Dumer [47] algorithms. The second step is shortening the code with respect to the low weight codewords found in the first step and in the dual code. In the third step, by characterizing the permutation group of polar codes together with the low-weight codewords found in Step 2, it is possible to find, among the codewords found in Step 1, a subset of codewords which up to equivalence by the permutation group. The fourth step is to puncture the code with respect to the support of an element of minimum weight in this last subset of codewords gives a code of small length whose structure is known up to code equivalence. The code equivalence problem is then solved in this case and is used to recover step by step the underlying polar codes. It is shown that the only way to avoid this key recovery attack is to look for polar code parameters for which finding minimum weight codewords is unable either in the code or in its dual. This would require changing significantly the parameters proposed in Shrestha- Kim scheme that would make such scheme much less attractive. However, this attack is not applicable to the PKC-PC since we select a special kind of random subcode of polar codes instead of naïve form. This proper selection doesn’t allow solving of code equivalent problem. In fact, since the number of code equivalent for used polar code 𝒞 and its dual, i.e., 𝒩 𝒞 and 𝒩 𝒞 ┴ , are large enough, the PKC-PC is immune against such key recovery attack. C. Information Set Decoding Attack
Information set decoding (ISD) attack is the most powerful kind of decoding attack that usually determines the work factor of code-based cryptosystems. ISD attack attempts to find the error vector 𝒆 in ciphertext by searching for the codewords with minimum weight in the given code extended by the received codeword, that is, the code described by the generator matrix [𝐺𝑐 ] . This approach uses an ISD algorithm to search for the minimum weight codeword which is equivalent to find 𝒆 . A naive form of ISD attack was introduced by Prange [48] and used in the original McEliece cryptosystem [5]. From then on, many subsequent variants were introduced [49-53]. One important step in the development of ISD attack is Stern attack [46] in which a probabilistic and explicit algorithm is presented to find low-weight codeword in an (𝑛, 𝑘) binary linear code. In this paper, we consider the Stern attack [46] to analyze the strength of the PKC-PC against ISD attack. The inputs of this attack are as follows: (i) an integer 𝜔 ≥ 0 ; (ii) an (𝑛 − 𝑘) × 𝑛 parity check matrix 𝐻 or a 𝑘 × 𝑛 generator matrix 𝐺 of an (𝑛, 𝑘) polar code. Let us denote the work factor of ISD attack in a (𝑛, 𝑘) binary linear code to find a single codeword of weight 𝜔 by WF isd (𝑛, 𝑘, 𝜔) . By applying the Stern algorithm, the ISD attack’s work factor is obtained as WF isd (𝑛, 𝑘, 𝜔) = 𝐶𝑜𝑠𝑡 𝑆𝑇 𝑃 𝑆𝑇 ⁄ , where the number of binary operations required to perform each iteration of algorithm is calculated as 𝐶𝑜𝑠𝑡 𝑆𝑇 = (𝑛 − 𝑘) (𝑛 + 𝑘) + 2 (𝑘/2𝑝 ) 𝑝ℓ + 2𝑝(𝑛 −𝑘) (𝑘/2𝑝 ) /2 ℓ and the success probability of finding a single codeword of weight 𝜔 is P 𝑆𝑇 = (𝑘/2𝑝 ) (𝑛 − 𝑘 − ℓ𝜔 − 2𝑝 ) (𝑛𝜔) −1 , and are two integers as the algorithm parameters whose size is determined in such a way that the complexity of attack is minimized [46]. T ABLE
III W
ORK F ACTOR ( log ) OF ISD A TTACKS ON P OLAR C ODES WITH V ARIOUS C ODE L ENGTHS AND D IMENSIONS FOR
𝑅 = 0.75 . (𝑛, 𝑘) (𝑝, ℓ) 𝑤 𝐻 (𝒆) WF( 𝑙𝑜𝑔 ) PK (kByte) (256,192) (2,8) (512,384) (3,22) (1024, 768) (5,39) (2048, 1536) (7,59) (4096, 3072) (15,124) T ABLE
IV W
ORK FACTOR ( log ) OF ISD A TTACKS ON P OLAR C ODES WITH V ARIOUS C ODE RATES AND D IMENSIONS FOR 𝑛 = 1024 , 𝑤 𝐻 (𝒆) = 63 . 𝑅 𝑘 (𝑝, ℓ) WF( 𝑙𝑜𝑔 ) 𝒩 𝐶 ( 𝑙𝑜𝑔 ) PK (kByte) (3,27) (3,27) (3,27) (5,39) (9,61) (5, 1) Some sets of polar codes parameters of
𝑅 = 0.75 with corresponding security level which are calculated by Stern algorithm is shown in Table III. Moreover, some other sets of polar codes parameters of length 𝑛 = 1024 for various code rates are given in Table IV. The results of Table IV show that the polar codes have a wide range of flexibility in code rate which make it possible to decrease the public key size at the cost of decreasing 𝒩 𝒞 . Since 𝒩 𝒞 is still below the complexity of ISD attack, the work factor is determined by ISD attack. D. CCA2-Secure Version of the PKC-PC
As mentioned earlier, in the PKC-PC, we use a systematic encryption matrix 𝐺 ′ = [𝐼 𝑘 |𝑄] as the public key which have the following advantages [43]: (i) the size of public key becomes much smaller, i.e., it requires 𝑘(𝑛 − 𝑘) bits instead of 𝑘𝑛 bits; (ii) the encryption is faster because it suffices to multiply the plaintext 𝒎 by 𝑘 × (𝑛 − 𝑘) submatrix 𝑄 instead of 𝑘 × 𝑛 encryption matrix 𝐺 ′ ; (iii) the decryption is faster, because the message is a prefix of the ciphertext and can be recovered easily. However, using a systematic encryption matrix can lead to the loss of security against adaptive chosen ciphertext attack (CCA2). In such attacks, given a ciphertext 𝒄 of a message 𝒎 , i.e., 𝒄 = 𝒎𝐺 ′ + 𝒆 , the attacker inputs 𝒄 + 𝒎 ′ 𝐺 ′ to the decryption oracle for some 𝒎 ′ and obtains the outputs of decryption oracle as 𝒎̅ . Then, the attacker can recover the message as 𝒎 = 𝒎̅ − 𝒎 ′ . Therefore, we should secure the PKC-PC against CCA2 to enable us use the systematic encryption matrix 𝐺 ′ without loss of security. In fact, the PKC-PC is CCA2-secure if an attacker with access to decryption oracle doesn’t have any advantage in deciphering a given ciphertext 𝒄 . Also, indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) is achieved if Alice encrypts one of two messages 𝒎 and 𝒎 , 𝒎 ≠ 𝒎 to obtain a ciphertext 𝒄 and has no advantage in distinguishing the message. Several techniques were proposed to make the McEliece cryptosystem IND-CCA2 [54-58]. All suggested approaches in these conversions are based on scrambling the message inputs. In such way, any relation between two dependent messages which might be extracted by an attacker to recover the message is destroyed. It means that applying CCA2-secure conversion will enable us to perform a systematic generator matrix without loss of security. Two instances of generic conversions which can be applicable to the PKC-PC are Pointcheval conversion [55] and Fujisaki-Okamato conversion [54]. Although CCA2-secure scheme can be achieved by using the generic conversions [54, 55], they are not appropriate enough to be applied in the PKC-PC because these conversions add large amounts of redundancy to the ciphertexts. Instead, in the specific conversion, e.g., Kobara-Imai γ -conversion [56], a data redundancy is reduced even for the large parameters. Hence, we apply Kobara-Imai γ -conversion by which the data overhead is decreased compared with the generic conversions to have a CCA2-secure PKC-PC. It is indicated that breaking indistinguishability in the CCA2 model using Kobara-Imai γ -conversion is as difficult as breaking the McEliece scheme [56]. Another weakness of the PKC-PC is the malleability of the ciphertexts. In this case, the attacker can use the relation between two encrypted messages to determine the error bits. Let 𝒎 and 𝒎 be two messages that have a known relation Λ , e.g., Λ(𝒎 , 𝒎 ) = 𝒎 + 𝒎 . Let 𝒄 = 𝒎 𝐺 ′ + 𝒆 and 𝒄 =𝒎 𝐺 ′ + 𝒆 be the corresponding ciphertexts of 𝒎 and 𝒎 , respectively. In this case, 𝒄 + 𝒄 + Λ(𝒎 , 𝒎 ) has the Hamming weight of less than
2𝑡 = 4√𝑛 − 2 and at least 𝑘 error-free positions of 𝒎 + 𝒎 can be revealed. This property allows an attacker to guess the error bits. A special case of related messages occurs in the message-resend attack in which the attacker can recover 𝒆 + 𝒆 = 𝒄 + 𝒄 . Another attack is a reaction attack, a weaker version of CCA2, in which the attacker changes a few bits of ciphertext and watches the reaction of the legitimate receiver on these changed bits. If the receiver cannot decode the ciphertext and hence requests to resend it, the corresponding bits are not in error originally. This enables the attacker to obtain the error-free information in at most 𝑘 iterations. It should be noted that using the Kobara-Imai γ -conversion makes the PKC-PC secure against practical attacks such as, related message attack [59], message resend attack, reaction attack [60] and malleability attack. VII. C ONCLUSION
This paper introduced a variant of the McEliece public key cryptosystem based on polar codes, called as PKC-PC. It has a number of benefits such as larger information rate and smaller public key length in comparison with the McEliece cryptosystem. By using Kobara-Imaiʼs γ -conversion, we have attempted to have secure scheme against adaptive chosen ciphertext attacks. In this approach, we can convert the encryption matrix 𝐺 ′ to the systematic matrix which yields to reduce the public key length. We have shown that the PKC-PC’s security is reduced to solve the NP-complete PPSD and PPCE problems. Also, the investigation’s results show the flexibility of the PKC-PC. To design a secure and efficient PKC-PC, the parameters such as code length, code dimension and the Hamming weight of the error vector should be chosen in such a way that a suitable tradeoff will be performed between security and efficiency. R EFERENCES [1]
P. W. Shor., “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer”,
SIAM J. Comput. , vol. 26, no. 5, pp. 1484–1509, 1997. [2]
D. J. Bernstein, J. Buchmann, E. Dahmen, Post-Quantum Cryptography,
Springer , 2008. [3] E. R. Berlekamp, R. J. McEliece, H. C. A. van Tilborg, “On the inherent intractability of certain coding problems”,
IEEE Trans. Inf. Theory , vol. 24, no. 5, pp. 384-386, 1978. [4]
T. Johansson, F. Jonsson, “On the complexity of some cryptographic problems based on the general decoding problem”,
IEEE Trans. Inf. Theory , vol. 48, no. 10, pp. 2669-2678, 2002. [5]
R. J. McEliece, “A public-key cryptosystem based on algebraic coding Theory”,
DNS Progress Rep., Jet Propulsion Laboratory , CA, Pasadena, pp. 114-116, 1978. [6]
H. M. Sun, “Further cryptanalysis of the McEliece public-key cryptosystem”,
IEEE Commun. Letters. , vol. 4, no. 1, pp. 18-19, 2000. [7]
H. Niederreiter, “Knapsack-type cryptosystems and algebraic coding theory”,
Probl. Control Inf. Theory. vol. 15, no. 2, pp. 159–166, 1986. [8]
V. M. Sidelnikov, “A public-key cryptosytem based on Reed-Muller codes”,
Discrete Math. Appl. , vol. 4, no. 3, pp. 191–207, 1994. [9]
M. Baldi, F. Chiaraluce, “Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes”
IEEE Int. Symp. Inf. Theory (ISIT) , pp. 2591–2595, Nice, France, 2007. [10]
M. Baldi, M. Bianchi, F. Chiaraluce, “Security and complexity of the McEliece cryptosystem based on quasi-cyclic low-density parity-check codes”,
IET Inf. Security , vol. 7, no. 3, pp. 212 – 220, 2013. [11]
M. Koochak Shooshtari, M. Ahmadian-Attari, and A. Payandeh, “Improving the security of McEliece-like public key cryptosystem based on LDPC codes,”
Int. Conf. on in Advanced Commun. Technology (ICACT) , vol.02, pp.1050–1053, Feb 2009. [12]
D. J., Bernstein, T. Lange, C. Peters, “Wild McEliece”,
Int. Workshop on Selected Areas in Cryptography (SAC),
LNCS, vol. 6544, pp. 143–158, 2011. [13]
T. Lange, C. Peters, D. J. Bernstein, “Wild McEliece incognito”,
Int. Workshop on Post-Quantum Cryptography ( PQCrypto),
LNCS, vol. 7071, pp. 244–254. Springer, Heidelberg, 2011. [14]
P. S. L. M. Barreto, R. Lindner, and R. Misoczki, “Monoidic codes in cryptography,”
Int. Workshop on Post-Quantum Cryptography ( PQCrypto),
LNCS, vol. 7071, pp.179–199, 2011. [15]
R. Misoczki, J. P. Tillich, N. Sendrier, P. S .L. M. Barreto, “MDPC-McEliece: New McEliece variants from moderate density parity-check Codes”
IACR Cryptology ePrint Archive , Report 2012/409, 2012. [16]
R. Misoczki, J. P. Tillich, N. Sendrier, P. S. L. M. Barreto, “MDPC-McEliece: new McEliece variants from moderate density parity-check codes,”
IEEE Int. Symp. Inf. Theory (ISIT) , pp. 2069-2073, Istanbul, Turkey, 2013. [17]
T. Johansson, C. Londahl, “A new version of McEliece PKC based on convolutional codes”
Int. Conf. on Inf. and Commun. Security (ICICS), vol. 7618, pp. 461–470, Springer, Heidelberg, 2012. [18]
R. Hooshmand, M. K. Shooshtari, T. Eghlidos, M. R. Aref, “Public Key Cryptosystem Based on Low Density Lattice Codes”,
Wireless Personal Communications , vol. 92, no. 3, pp. 1107–1123, 2016 [19]
V. M. Sidelnikov, S. O. Shestakov, “On the insecurity of cryptosystems based on generalized Reed-Solomon codes”,
Discrete Math. Appl., vol. 1, no. 4, pp. 439–444, 1992. [20]
L. Minder, M. A. Shokrollahi, “Cryptanalysis of the sidelnikov cryptosystem”,
EUROCRYPT 2007 , LNCS, vol. 4515, pp. 347–360, 2007. [21]
M. Baldi, F. Chiaraluce, “Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes”,
IEEE Int. Symp. Inf. Theory (ISIT) , Nice, France, pp. 2591–2595, 2007. [22]
A. Otmani, J. P. Tillich, L. Dallot, “Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes”, Mathematics in Computer Science, Beijing, China, pp. 69–81, 2008. [23]
A. Couvreur, J. P. Tillich, A. Otmani, “Polynomial time attack on wild McEliece over quadratic extensions”, EUROCRYPT 2014, LNCS, vol. 8441, pp. 17–39, 2014. [24]
L. Perret, F. de Portzamparc, J. C. Faug`ere, “Algebraic attack against variants of McEliece with goppa polynomial of a special form” ASIACRYPT 2014, LNCS, vol. 8873, pp. 21–41, 2014. [25]
G. Landais, J. P. Tillich, “An e ffi cient attack of a McEliece cryptosystem variant based on convolutional codes”, Int. Workshop on Post-Quantum Cryptography ( PQCrypto),
LNCS, vol. 7932, pp. 102–117, 2013. [26]
J.-C. Faugère, A. Otmani, L. Perret, F. de Portzamparc, and J.-P. Tillich, “Structural cryptanalysis of McEliece schemes with compact keys,”
Designs, Codes and Cryptography , vol. 79, Issue 1, pp 87–112, 2016. [27] E. Arıkan “Channel polarization: A method for constructing capacity-achieving codes for symmetric binary-input memoryless channels”,
IEEE Trans. Inf. Theory , vol. 55, no. 7, pp. 3051-3073, 2009. [28]
H. Mahdavifar, A. Vardy, “Achieving the secrecy capacity of wiretap channels using polar codes,”
IEEE Trans. Inf. Theory , vol. 57, no. 10, pp. 6428-6443, 2011. [29]
R. Hooshmand, M. R. Aref, T. Eghlidos, “Secret key cryptosystem based on non-systematic polar codes,”
Wirel. Pers. Commun., vol. 84, no. 2, pp. 1345-1373, 2015. [30]
R. Hooshmand, M. R. Aref, “Polar code-based secure channel coding scheme with small key size,”
IET Commun., vol. 11, no. 15, pp. 2357 – 2361, 2017. [31]
R. Hooshmand, M. R. Aref, T. Eghlidos, “Physical layer encryption scheme using finite-length polar codes,”
IET Commun., vol. 9, no. 15, pp. 1857-1866, 2015. [32]
R. Hooshmand, M. R. Aref, “Efficient Polar Code-based Physical Layer Encryption Scheme,”
IEEE Wirel. Commun. Letters, vol. 6, no. 6, pp. 710 - 713, Dec. 2017. [33]
R. Hooshmand, M. K. Shooshtari, T. Eghlidos, M. R. Aref, “Reducing the key length of McEliece cryptosystem using polar codes”,
Int. ISC Conf. on Inf. Security and Cryptology (ISCISC) , pp. 104–108, 2014. [34]
S. R. Shrestha, Y. S. Kim, “New McEliece cryptosystem based on polar codes as a candidate for post-quantum cryptography”
Int. Symp. on Commun. and Inf. Technologies (ISCIT) , pp. 368–372, 2014. [35]
M. Bardet, J. Chaulet, V. Dragoi, A. Otmani, J.-P. Tillich, “Cryptanalysis of the McEliece public key cryptosystem based on polar codes,”
Int. Workshop on Post-Quantum Cryptography,
LNCS , vol. 9606, pp. 118–143, 2016. [36]
E. Arıkan, “Systematic Polar Coding”,
IEEE Commun. Lett. , vol. 15, no. 8, pp. 860-862, 2011. [37]
E. Arıkan, “A performance comparison of polar codes and Reed-Muller codes”,
IEEE Commun. Lett. , vol. 12, no. 6, pp. 447–449, 2008. [38]
N. Goela, S. B. Korada, M. Gastpar “On LP Decoding of Polar Codes”
IEEE Inf. Theory Workshop (ITW),
Dublin, pp. 1-5, 2010. [39]
H. A. Goli, S. H. Hassani, R. Urbanke, “Universal Bounds on the Scaling Behavior of Polar codes”,
IEEE Int. Symp. Inf. Theory (ISIT) , pp. 1957-888, 2012. [40]
K. Kobara, H. Imai “Semantically Secure McEliece Public-Key Cryptosystems Conversions for McEliece PKC”,
PKC 2001 , LNCS, vol. 1992, pp. 19-35, 2001. [41]
H. Mahdavifar, M. El-Khamy, J. Lee, I. Kang, “Performance Limits and Practical Decoding of Interleaved Reed-Solomon Polar Concatenated Codes”,
IEEE Trans. on Commun. , vol. 62, no. 5, pp. 1406-1417, 2014. [42]
M. Finiasz, “NP-completeness of certain sub-classes of the syndrome decoding problem”, arXiv: 0912.0453v1 , 2009. [43]
D. J. Bernstein, T. Lange, C. Peters, “Attacking and Defending the McEliece Cryptosystem”,
Post-Quantum Cryptography (PQCrypto 2008) , LNCS, vol. 5299, pp. 31–46, 2008. [44]
A. Canteaut, N. Sendrier, “Cryptanalysis of the Original McEliece Cryptosystem”,
ASIACRYPT 1998 , LNCS, vol. 1514, pp. 187-199, 1998. [45]
Faugere JC, Gauthier-Umana V, Otmani A, Perret L, Tillich JP, “A distinguisher for high-rate McEliece cryptosystems ”, IEEE Trans on Inf. Theory , vol. 59, no. 10, pp. 6830–6844. [46]
J. Stern, “A method for finding codewords of small weight”,
Coding Theory and Applications , pp. 106-113, 1989. [47]
I. Dumer, “On minimum distance decoding of linear codes”, , Moscow, pp. 50–52, 1991. [48]
E. Prange, “The use of information sets in decoding cyclic codes”
IRE Transactions on Information Theory , vol. 8, no. 5, pp. 5–9, 1962. [49]
P. J. Lee, E. F. Brickell, “An observation on the security of McEliece's public-key cryptosystem”,
EUROCRYPT 1988 , LNCS, vol. 330 pp. 275–280, 1988. [50]
A. Canteaut, F. Chabaud, “A new algorithm for finding minimum-weight words in a linear code: application to McEliece's cryptosystem and to narrow-sense BCH codes of length 511”,
IEEE Trans. Inf. Theory , vol. 44, no. 1, pp. 367-378, 1988. [51]
A. May, A. Meurer, E. Thomas, “Decoding random linear codes in O˜ (20.054n)”,
ASIACRYPT’11 , LNCS, 7073, pp. 107–124, 2011. [52]
A. Becker, A. Joux, A. May, “Decoding random binary linear codes in 2 n/20 : how 1 + 1 = 0 improves information set decoding”,
EUROCRYPT 2012 , LNCS, vol. 7237, pp. 520–536, 2012. [53]
A. May, I. Ozerov, “On computing nearest neighbors with applications to decoding of binary linear codes”,
EUROCRYPT 2015 , LNCS, vol. 9056, pp 203-228, 2015. [54]
E. Fujisaki, T. Okamoto, “Secure Integration of Asymmetric and Symmetric Encryption Schemes”
Journal of Cryptology , vol. 26, issue 1, pp 80–101, 2013. [55] D. Pointcheval, “Chosen-ciphertext security for any one-way cryptosystem”,
PKC 2000,
LNCS, vol. 1751, pp. 129–146, 2000. [56]
K. Kobara, H. Imai, “Countermeasure against Reaction attacks”,
Symposium on Cryptography and Information Security , 2000. [57]
N. Döttling, R. Dowsley, J. Müller-Quade, A.C.A Nascimento, “A CCA2 Secure Variant of the McEliece Cryptosystem”,
IEEE Trans. Inf. Theory, vol. 58, no. 10, pp. 6672–6680, 2012. [58]
R. Dowsley, J. Müller-Quade, A.C.A. Nascimento, “A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model”,
CT-RSA 2009 , LNCS, vol. 5473, pp. 240–251, 2009. [59]
T. A. Berson, “Failure of the McEliece public-key cryptosystem under message-resend and related-message attack”,
CRYPTO 1997 , LNCS, vol. 1294, pp. 213–220, 1997. [60]
C. Hall, I. Goldberg, B. Schneier, “Reaction attacks against several public-key cryptosystems”,
Int. Conf. on Inf. and Commun. Security (ICICS 1999) , LNCS, vol. 1726, pp. 2–12, 1999., LNCS, vol. 1726, pp. 2–12, 1999.