## No full-text available

To read the full-text of this research,

you can request a copy directly from the author.

Recently Chor and Rivest proposed a knapsack-type cryptosystem for low-weight message vectors. We introduce cryptosystems of this type involving public keys with fewer bits and yielding a higher information rate than the Chor-Rivest cryptosystem. The design of these cryptosystems is based on techniques from algebraic coding theory.

To read the full-text of this research,

you can request a copy directly from the author.

... Our proposal of a McEliece cryptosystem follows the dual version of Niederreiter [19], by means of a Key Encapsulations Mechanism like the one proposed in [1]. ...

... In order to generate the public and private keys for a McEliece type cryptosystem, the parameters m and s have to be found. These can be computed randomly via an exhaustive search to find pairs (m, δ) satisfying (19) and then looking for an s such that δ = gcd(s, dm). For instance, if n = 4096, t = 25, q = p d = 2, we get the following combinations: We set k = n − 2t n 4t , the smallest possible dimension, according to (19). ...

... These can be computed randomly via an exhaustive search to find pairs (m, δ) satisfying (19) and then looking for an s such that δ = gcd(s, dm). For instance, if n = 4096, t = 25, q = p d = 2, we get the following combinations: We set k = n − 2t n 4t , the smallest possible dimension, according to (19). Next pick randomly 1 ≤ s ≤ dm, and let δ = gcd(s, dm), μ = dm δ , L = F q m , K = F p δ and σ = τ s : L → L. Fix a basis of L over F and denote v : L → F m the map providing the coordinates with respect to this basis. ...

A class of linear codes that extends classical Goppa codes to a non-commutative context is defined. An efficient decoding algorithm, based on the solution of a non-commutative key equation, is designed. We show how the parameters of these codes, when the alphabet is a finite field, may be adjusted to propose a McEliece-type cryptosystem.

... The inability to distinguish between a scrambled parity check matrix and a random matrix is an NP-problem [9,10], so decoding a linear code without knowledge of its algebraic structure is also an NP-problem [11]. Another code-based cryptosystem is the Niederreiter cryptosystem [12] and this has been used in code-based digital signatures [13]. However, existing Niederreiter digital signatures are not widely used due to the computation time required for signing. ...

... The Niederreiter cryptosystem can be considered the dual of the McEliece cryptosystem [12]. It is based on the hardness of the syndrome decoding problem. ...

... The CFS signature scheme is a well-known code-based digital signature scheme based on the Niederreiter cryptosystem [12]. ...

Digital signature schemes are used for the authentication and verification of signatures. The Courtois–Finiasz–Sendrier (CFS) digital signature is a well‐known code‐based digital signature scheme based on the Niederreiter cryptosystem. However, it is not widely used due to the computation time of the signing algorithm. Most code‐based digital signature schemes are based on the Niederreiter cryptosystem. This paper proposes a new code‐based digital signature that is based on the McEliece cryptosystem. Key generation, signing, and verification algorithms are presented. The key generation algorithm constructs a public key using random inverse matrices. The signing algorithm has lower complexity and requires less computation time than the CFS scheme to sign a document. The verification algorithm is able to detect forgeries. It is shown that the proposed scheme is secure against public key structural attacks.

... The encryption method is equivalent to adding an artificial error vector to the plaintext and the decryption method correspond to decoding in this scheme. Niederreiter's algorithm [3] is another public key encryption scheme based on error-correcting codes. The encryption and decryption methods are based on syndrome decoding. ...

... Furthermore, some possible attacks are also analyzed in this section. Section 5 compares the proposed approach with the other systems e.g., McEliece [2], Niederreiter [3], and Feneuil et al. [27]. Section 6 collects concluding remarks. ...

... Only the legitimate client can decode using the bait. Niederreiter uses a syndrome as ciphertext, and the message is an error pattern instead of a codeword [3]. The security of McEliece's and Niederreiter's systems is demonstrated to be equivalent from the viewpoint of complexity theory [38], and it is based on the following assumptions [15]. ...

Blockchain is a method of recording information that makes it not feasible for the system to be replaced, attacked, or manipulated. A blockchain is equipped with a notebook that copies and processes the various procedures across the network of computers participating in the blockchain. Digital signature algorithm is one of the cryptographic protocols used by the blockchain. In this work, we introduce a new digital signature scheme based on error correcting codes. In the scheme constructed on a [n, k, d]− code over 𝔽q, which is d ≥ 2t + 1, and the size of the signature length is n − k. The signature verification is based on the bounded distance decoding of the code. Since the verification space is 𝔽qn, the proposed scheme has an improved performance in terms of working in a wider space.

... Non-square binary matrices are important in several digital communications domains including error-correction coding and code-based cryptography [10] [11]. In this paper, a method is presented to construct all generalized inverses of a binary matrix and an algorithm is given to provide a random inverse of a binary matrix. ...

... The (n−k)×n parity check matrix H satisfies the condition GH T = 0 and is a basis for the dual space of the code C n,k [11]. A parity check matrix in systematic form is given by ...

p>The applications of generalized inverse systematic non-square binary matrices span many domains including mathematics, error-correction coding, machine learning, data storage, navigation signals, and cryptography. In particular, they are employed in the McEliece and Niederreiter public key cryptosystems. For a systematic non-square matrix H of size (n-k) x n , n > k , there exist 2 <sup> k x (n-k) </sup> distinct inverse matrices. This paper presents an algorithm to generate these matrices as well as a method to construct a random inverse for systematic and non-systematic binary matrices. The proposed approach is shown to have lower computational complexity than the well-known Gauss-Jordan techniques. The application to public key cryptography (PKC) is also discussed.</p

... Therefore, one-way trapdoor function employed in the McEliece cryptosystem is the knowledge of the error correcting code together with permutation which is available for each Goppa code. Niederreiter Public Key Cryptosystem (PKC) [ 67] is a slight upgraded version of McEliece scheme which represents the coded message as word encoded into an error vector function φ n,t and φ n,t : {0, 1} l → W n,t , where n, t are parameters to generate key; W n,t = {e ∈ F n 2 |wt (e) = t}; l = |log 2 |W n,t || and wt (e) is the function for error coefficient. This trapdoor function a plaintext and cipher-text sizes in bits, b cycles per plaintext bytes c common to both algorithm scheme, d log 2 of the non-quantum binary work factor is quite inefficient to compute and time complexity is O(n 2 . ...

... CFS scheme repeatedly hash portions of the document and randomize upto a fixed count until the output is a decryptable ciphertext. There exists other newer codes, Gabidulin codes [ 28], Bose-Chaudhuri-Hocquenghem (BCH) codes [ 29], Reed-Muller codes [ 82], GRS codes [ 67], Algebraic geometric codes [ 42], Graph based Low-density parity-check code (LDPC), Luby transform (LT) or turbo code, Goppa/alternate codes [ 53] etc. which can also be incorporated as code based PQCs. ...

Recent development in the field of quantum computing pushed classical cryptosystem on the verge of serious security threat. Quantum cryptography employing quantum channel and post-quantum cryptography algorithms are two probable solutions to check the security problem. Among them post-quantum algorithms can be easily implemented on conventional computer systems and exhibit better resistant to classical as well as quantum computer based crypto-attacks and also can be realized using current VLSI technology. Hash, code, lattice or multivariate polynomial, chaotic dynamic system based cryptographic algorithms can be employed as cryptographic algorithms with optimal parameters such as key length, encryption speed etc. The choice of a suitable algorithm as per the requirement aids in the development of a robust system invincible against various malicious intrusion. Here a comparative study of various post quantum cryptography algorithms are presented along with our proposed lattice an chaotic dynamic system based encryption schemes.KeywordsQuantum computingpost-quantum cryptographysecurity

... Non-square binary matrices are used in error-correction coding, code-based cryptography and decoding algorithms [10] [11]. This present paper introduces an efficient algorithm for calculating all the generalized inverses of a binary matrix. ...

... This matrix can be employed to determine if a particular vector is a codeword. The H matrix can also be used for decoding algorithms [11]. A systematic parity check matrix has the form ...

p>The generalized inverses of systematic non-square binary matrices have applications in mathematics, channel coding and decoding, navigation signals, machine learning, data storage and cryptography such as the McEliece and Niederreiter public-key cryptosystems. A systematic non-square $(n-k) \times k$ matrix $H$, $n > k$, has $2^{k\times(n-k)}$ different generalized inverse matrices. This paper presents an algorithm for generating these matrices and compares it with two well-known methods, i.e. Gauss-Jordan elimination and Moore-Penrose methods. A random generalized inverse matrix construction method is given which has a lower execution time than the Gauss-Jordan elimination and Moore-Penrose approaches.</p

... Non-square binary matrices are used in error-correction coding, code-based cryptography and decoding algorithms [10] [11]. This present paper introduces an efficient algorithm for calculating all the generalized inverses of a binary matrix. ...

... This matrix can be employed to determine if a particular vector is a codeword. The H matrix can also be used for decoding algorithms [11]. A systematic parity check matrix has the form ...

p>The generalized inverses of systematic non-square binary matrices have applications in mathematics, channel coding and decoding, navigation signals, machine learning, data storage and cryptography such as the McEliece and Niederreiter public-key cryptosystems. A systematic non-square $(n-k) \times k$ matrix $H$, $n > k$, has $2^{k\times(n-k)}$ different generalized inverse matrices. This paper presents an algorithm for generating these matrices and compares it with two well-known methods, i.e. Gauss-Jordan elimination and Moore-Penrose methods. A random generalized inverse matrix construction method is given which has a lower execution time than the Gauss-Jordan elimination and Moore-Penrose approaches.</p

... Lattice-based cryptography has the reputation of being very efficient. Code-based cryptography using some codes is often considered to be already more mature and reliable such as McEliece [23] and Niederreiter [25] cryptosystems. ...

... During Round 2 the scheme merged with NTS-KEM, which was using the same codes. The Classic McEliece scheme uses the dual of McEliece's scheme, as proposed by Niederreiter [25], and tightly turns this OW-CPA PKE into an IND-CCA2 KEM. ...

The modern security protocols in most of our systems rely primarily on three basic functions of asymmetric cryptography: public key encryption, digital signature, and key exchange. Today, we only do key exchange (TLS 1.3) with the ECDH protocol. The confidentiality is persistent because the session keys are discarded at the end and to certify this key exchange, we sign it with RSA or ECDSA. However, these cryptosystems are at least theoretically attackable in a quantum computer model. Thus the NIST PQC standardization process has given significant momentum to research on code-based public-key cryptosystems specifically. Their security is based on the hardness of the syndrome decoding problem. In this article, we first propose a new formalism of the matrix-vector product in based-code cryptography. Second, we present a chosen-ciphertext attack on the first step of Niederreiter decryption by solving the matrix-vector product problem with side-channel information. Finally, we put this result to recover secret information in code-based cryptosystems including some candidates for the extension of the NIST PQC normalization process.KeywordsCode-based cryptographySide-channel attackMatrix-vector product problemNIST PQC standardization

... The cryptogram consists of (n-k) elements [10]. Vector e stores information that we want to encrypt. ...

... However, the obvious advantage of the hybrid cryptosystem, which is worth reminding, in terms of cryptosystem's efficiency, is that it allows one to encrypt a larger amount of information using the same number of keys, while providing an adequate level of protection [25][26][27][28][29][30][31]. This research might be useful for the improvement of various methods of information security [10][11][12][13], as well as other practical use [32][33][34][35][36]. promising direction, since they allow us to provide a higher speed of cryptographic transformation, an error control that can occur in the communication channel, as well as resistance to the classical and quantum cryptanalysis. Due to the above mentioned advantages of using codes for the purpose of constructing algorithms of post-quantum cryptography, a new hybrid algorithm, which combines principles of encryption in accordance with the cryptosystems of McEliece and Niederreiter, was proposed. ...

In this paper the basic principles of construction and operation of McEliece and Niederreiter cryptosystems based on the use of error-correcting codes were considered. A new hybrid cryptosystem that combines the rules of encryption according to the above-mentioned schemes is proposed. Also, this paper presents the analysis and comparative studies from the standpoint of stability, the volume of public and private keys, length of ciphertext and relative speed of information transmission of the new proposed scheme and McEliece and Niederreiter cryptosystems. It is considered from an analytical point of view and with the help of graphic images. Comparative studies revealed that the hybrid cryptosystem retains the positive aspects of its predecessors, as well as allows us to increase the relative transmission rate with the preservation of the stability indicator to the classical and quantum cryptanalysis. One disadvantage is the increase in decoding time by adding information extracted as in Niederreiter scheme, but the increase in this indicator is not critical. Despite the demonstrated benefits, it remains open to all cryptosystems to reduce the amount of the used key data, which, in the case of quantum computers to maintain stability, still needs to be increased once.

... Niederreiter achieves similar security to McEliece but with a faster encryption process. It also has potential for constructing a digital signature scheme [12]. Rainbow: It combines elements of both symmetric and asymmetric encryption. ...

This article provides an overview of various cryptography algorithms, discussing their mathematical underpinnings and the areas of mathematics needed to understand them. While not delving deeply into specific algorithmic details, the article aims to familiarize readers with the mathematical concepts and principles that are essential for understanding each of these algorithms. By providing an overview of the necessary mathematical backgrounds for various cryptography algorithms, this article aims to equip readers with the foundational knowledge needed to explore these algorithms in greater depth and to engage in the ongoing research and development in this rapidly evolving field.

... which is known as a circulant matrix. On the other hand, ideal matrix and ideal lattice play an important role in Ajtai's construction of a collision resistant Hash function, the related materials we refer to Lint, 1999;Niederreiter, 1986;. First, we have to establish some basic properties for an ideal matrix H * ( f ), most of them are known when H * ( f ) is a circulant matrix. ...

There are five models of fintech development in the world: the technology promotion model represented by the USA, the rule-driven model represented by the UK, the market pull model represented by China, the mixed competition model represented by Japan and Indonesia, and the model of fanning out from point to area represented by South Korea and Israel. In terms of the layout, the transformation of traditional financial hubs has been accelerated, China and the USA have outstanding advantages in fintech, and the Asia-Pacific region has great potential for fintech development. The fintech of China has been promoted to the worlds leading level; Japan boosts the rapid growth of fintech through advantages of backwardness; Singapore gathers innovative resources with a relaxed and inclusive atmosphere; South Korea promotes scale development of fintech industry by fanning out from point to area; India is gradually exerting its potential for fintech development; Israel builds the highland of fintech development through guidance plus service; Indonesia has gradually become a rising star in fintech development in Southeast Asia; Hong Kong promotes the momentum of sound fintech development with government assistance.

... which is known as a circulant matrix. On the other hand, ideal matrix and ideal lattice play an important role in Ajtai's construction of a collision resistant Hash function, the related materials we refer to (Ajtai, 1996;Ajtai & Dwork, 1997;Lint, 1999;Niederreiter, 1986;Plantard & Schneider, 2013;Pradhan et al., 2019). First, we have to establish some basic properties for an ideal matrix H * ( f ), most of them are known when H * ( f ) is a circulant matrix. ...

The main purpose of this chapter is to give a more general construction of NTRU based on ideal matrices and q-ary lattice theory. To understand our construction, first we discuss a more general form of the ordinary cyclic code, namely \(\phi \)-cyclic code, which firstly appeared in (Lopez-Permouth et al., 2009; Shi et al., 2020); thus, we give a more generalized NTRUEncrypt from replacing finite field by real number field \(\mathbb {R}\).Keywords\(\phi \)-cyclic codeIdeal matricesConvolutional modular LatticeNTRU

... We briefly present the McEliece cryptosystem [McE78] and its variant, Niederreiter [Nie86], and the KEM Classic McEliece whose implementation on ARM Cortex-M4 is the target of our attack. ...

The NIST Post-Quantum Cryptography (PQC) standardization challenge was launched in December 2016 and recently, has released its first results. The whole process has given a considerable dynamic to the research in post-quantum cryptography, in particular to practical aspects, such as the study of the vulnerabilities of post-quantum algorithms to side-channel attacks. In this paper, we present a realistic template attack against the reference implementation of Classic McEliece which is a finalist of the 4th round of NIST PQC standardization. This profiled attack allowed us to accurately find the Hamming weight of each coefficient of the Goppa polynomial. With only one decryption, this result enables us first, to find directly the Goppa polynomial in the case of weak keys with the method of Loidreau and Sendrier (P. Loidreau and N. Sendrier, “Weak keys in the McEliece public-key cryptosystem”, IEEE Trans. Inf. Theory, 2001). Then, in the case of “slightly less weak keys”, we also find this polynomial with an exhaustive search with low complexity. Finally, we propose the best complexity reduction for exhaustive Goppa polynomial search on \(\mathbb {F}_{2^m}\). We attack the constant-time implementation of Classic McEliece proposed by Chen et al. This implementation, which follows the NIST specification, is realized on a stm32f4-Discovery microcontroller with a 32-bit ARM Cortex-M4.KeywordsNIST PQC standardizationClassic McElieceSide-Channel AttackTemplate AttackGoppa Polynomial

... Syndrome decoding is a hard mathematical problem even for quantum computers, therefore generally proposed as a computational hardness assumption for code based cryptosystem safe against quantum cryptanalysis. Code based cryptography originated from the works of McEliece [22] in 1978 and Niederreiter [23] in 1986. As the current cryptographic systems like RSA, DHKE, ECDH, ECDSA, Elgamal, are soon becoming quantum vulnerable primitives, code based approach to post quantum cryptosystem security is one of the mathematical techniques penciled down to provide security against quantum computers and algorithms. ...

Contemporary cryptographic algorithms are resistant to the strongest threats to cybersecurity and high-profile cyber-attacks. In recent times, information security scientists and researchers had developed various cryptographic schemes that defeated attacks using the most sophisticated (in terms of processor speed) classical computer. However, this resistance will soon erode with the arrival of quantum computers. In this paper, we profiled quantum computers and quantum algorithms based on their widely believed threat against currently secure cryptographic primitives. We found that Grover’s and Shor’s quantum-based algorithms actually pose a threat to the continued security of symmetric cryptosystems (e.g. 128-bit AES) and asymmetric (public key) cryptosystems (e.g. RSA, Elgamal, elliptic curve Diffie Hellman (ECDH), etc.) respectively.We discovered that the source of the algorithms’ cryptanalytic power against the current systems, stems from the fact that they (Grover and Shor) both equipped their respective algorithms with a quantum circuit component that can execute the oracle in parallel by applying a single circuit to all possible states of an n-qubit input. With this exponential level of processing characteristic of quantum computers and quantum-based algorithms, it is easy for the current cryptosystems to be broken since the algorithms can existentially solve the underlying mathematical problems such as integer factorization, discrete logarithm problem and elliptic curve problem, which formed the basis of the security of the affected cryptosystems. Based on this realization and as part of our readiness for a post quantum era, we explored other mathematical structures (lattices, hashes, codes, isogenies, high entropy-based symmetric key resistance, and multivariate quadratic problems) whose hardness could surpass the cryptanalytic nightmare posed by quantum computers and quantum-based algorithms. Our contribution is that, based on the findings of this research work, we can confidently assert that all hope is not lost for organizations heavily relying on protocols and applications like HTTPS, TLS, PGP, Bitcoin, etc., which derived their security from the endangered cryptosystems.

... McEliece's cryptosystem and the Niederreiter cryptosystem that was proposed by Harald Niederreiter in 1986 [30] can be suitable and efficient for encryption, hashing, and signature generation. The McEliece cryptosystem has a basic disadvantage, which is the large size of the keys and ciphertexts. ...

The rapid development of quantum computing devices promises powerful machines with the potential to confront a variety of problems that conventional computers cannot. Therefore, quantum computers generate new threats at unprecedented speed and scale and specifically pose an enormous threat to encryption. Lattice-based cryptography is regarded as the rival to a quantum computer attack and the future of post-quantum cryptography. So, cryptographic protocols based on lattices have a variety of benefits, such as security, efficiency, lower energy consumption, and speed. In this work, we study the most well-known lattice-based cryptosystems while a systematic evaluation and comparison is also presented.

... BIKE scheme is based on Niederreiter's framework [52] (like CM) so that the encoding procedure is performed using the parity-check matrix. In BIKE, the parity-check matrix is deployed in its systematic format. ...

It is a matter of time before quantum computers will break the cryptosystems like RSA and ECC underpinning today’s internet protocols. As Post-Quantum Cryptography (PQC) is a low-cost approach compared to others like quantum key distribution, the National Institute of Standards and Technology (NIST) has recently reviewed and analyzed numerous approaches to PQC. As a PQC candidate, Bit Flipping Key Encapsulation (BIKE) is expected to be standardized as a general-purpose Key Encapsulation Mechanism (KEM) by NIST. However, it lacks a comprehensive review of BIKE associated with technical analysis. This paper aims to present an in-depth review and analysis of the BIKE scheme with respect to relevant attacks. We provide a comprehensive review of the original McEliece (ME) scheme and present a detailed discussion on its practical challenges. Furthermore, we provide an in-depth study on the challenges of ME and BIKE cryptosystems in achieving the Indistinguishability under Chosen-Ciphertext Attack (IND-CCA) security. We provide an analysis of these cryptosystems and their security against several attacks before pointing out the research gaps for strengthening BIKE.

... To address this issue, many variants of McEliece's scheme have been proposed, see, for example, [29][30][31][32][33][34]. In order to reduce the size of both public and private keys in code-based cryptography, Niederreiter in 1986 introduced a new cryptosystem [35]. Niederreiter's cryptosystem is a dual version of McEliece's cryptosystem with some additional properties such that the ciphertext length is relatively smaller. ...

A key encapsulation mechanism ( KEM {\mathsf{KEM}} ) that takes as input an arbitrary string, i.e., a tag, is known as tag- KEM {\mathsf{KEM}} , while a scheme that combines signature and encryption is called signcryption. In this article, we present a code-based signcryption tag- KEM {\mathsf{KEM}} scheme. We utilize a code-based signature and an IND - CCA2 {\mathsf{IND}}\hspace{0.1em}\text{-}\hspace{0.1em}{\mathsf{CCA2}} (adaptive chosen ciphertext attack) secure version of McEliece’s encryption scheme. The proposed scheme uses an equivalent subcode as a public code for the receiver, making the NP-completeness of the subcode equivalence problem be one of our main security assumptions. We then base the signcryption tag- KEM {\mathsf{KEM}} to design a code-based hybrid signcryption scheme. A hybrid scheme deploys asymmetric- as well as symmetric-key encryption. We give security analyses of both our schemes in the standard model and prove that they are secure against IND - CCA2 {\mathsf{IND}}\hspace{0.1em}\text{-}\hspace{0.1em}{\mathsf{CCA2}} (indistinguishability under adaptive chosen ciphertext attack) and SUF - CMA {\mathsf{SUF}}\hspace{0.1em}\text{-}\hspace{0.1em}{\mathsf{CMA}} (strong existential unforgeability under chosen message attack).

... Another example of code-based cryptography is the Niederreiter cryptosystem [14], which is based on the hardness of computing discrete logarithms in certain finite fields. The Niederreiter cryptosystem has some advantages over the McEliece cryptosystem, such as smaller key sizes and faster encryption and decryption times. ...

Code-based cryptography is a promising candidate for post-quantum cryptography dueto its strong security guarantees and efficient implementations. In this paper, we explore the useof code-based cryptography for multi-party computation and digital signatures, two importantcryptographic applications. We present several efficient and secure code-based protocols for theseapplications, based on the McEliece cryptosystem and its variants. Our protocols offer strong securityguarantees against both classical and quantum attacks, and have competitive performance comparedto other post-quantum cryptographic schemes. We also compare code-based cryptography withother post-quantum schemes, including lattice-based and hash-based cryptography, and discuss theadvantages and disadvantages of each approach.

... Therefore, various plans have been presented to reduce the key length of code-based cryptosystems. For example, as a McEliece variant, Niederreiter [34] was proposed to alleviate the key length problem to some extent. ...

p>This is a review of research challenges and opportunities for post-quantum blockchains in the IoT. </p

... Therefore, various plans have been presented to reduce the key length of code-based cryptosystems. For example, as a McEliece variant, Niederreiter [34] was proposed to alleviate the key length problem to some extent. ...

p>This is a review of research challenges and opportunities for post-quantum blockchains in the IoT. </p

... Криптограма складається з (n-k) елементів [10] . Вектор e зберігає у собі інформацію, що прагнемо зашифрувати, тобто є інформаційним вектором. ...

The basic principles of construction and operation of McEliece and Niederreiter cryptosystems based on the use of error-correcting codes are considered. A new hybrid cryptosystem, that combines rules of encryption according to the above-mentioned schemes, is proposed. Also, an analysis and comparative studies are carried out in terms of stability, volume of public and private keys, length of ciphertext and relative speed of information transmission of the new proposed scheme and McEliece and Niederreiter cryptosystems presented both in an analytical form and by means of a graphic. Comparative studies revealed that the hybrid cryptosystem retains the positive aspects of its predecessors, as well as allows increase in the relative transmission rate with the preservation of the stability indicator to the classical and quantum cryptanalysis, but, unfortunately, one important limitation is still preserved - a large size of the required key data.

... Interestingly enough, it was proved in [CGG`14] that square code considerations could also be used to mount an attack on McEliece or Niederreiter schemes based on Generalized Reed-Solomon (GRS) codes. Recall that this scheme was proposed in [Nie86] and was subsequently broken in [SS92]. Note that when the extension degree of the Goppa code is 1 (i.e. the support of the Goppa code is defined over the same field as the Goppa code itself), a Goppa code is indeed a GRS code, so a McEliece scheme based on a Goppa code of extension degree 1 can be attacked with the [SS92] attack. ...

A long standing open question is whether the distinguisher of high rate alternant codes or Goppa codes \cite{FGOPT11} can be turned into an algorithm recovering the algebraic structure of such codes from the mere knowledge of an arbitrary generator matrix of it. This would allow to break the McEliece scheme as soon as the code rate is large enough and would break all instances of the CFS signature scheme. We give for the first time a positive answer for this problem when the code is {\em a generic alternant code} and when the code field size $q$ is small : $q \in \{2,3\}$ and for {\em all} regime of other parameters for which the aforementioned distinguisher works. This breakthrough has been obtained by two different ingredients : (i) a way of using code shortening and the component-wise product of codes to derive from the original alternant code a sequence of alternant codes of decreasing degree up to getting an alternant code of degree $3$ (with a multiplier and support related to those of the original alternant code); (ii) an original Gr\"obner basis approach which takes into account the non standard constraints on the multiplier and support of an alternant code which recovers in polynomial time the relevant algebraic structure of an alternant code of degree $3$ from the mere knowledge of a basis for it.

... McEliece encryption scheme relies on the use of generator matrices. We have actually presented Niederreiter encryption scheme [Nie86]. The security of both schemes is the same. ...

These lecture notes have been written for courses given at \'Ecole normale sup\'erieure de Lyon and summer school 2022 in post-quantum cryptography that took place in the university of Budapest. Our objective is to give a general introduction to the foundations of code-based cryptography which is currently known to be secure even against quantum adversaries. In particular we focus our attention to the decoding problem whose hardness is at the ground of the security of many cryptographic primitives, the most prominent being McEliece and Alekhnovich' encryption schemes.

... BIKE is a post-quantum KEM based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes [2]. These codes are used in a scheme similar to that first proposed by Niederreiter [24]. BIKE distinguishes itself for its good trade-off between ciphertext and key lengths and performance, making it a good candidate for standardization after the fourth round [22]. ...

NIST is conducting a process for the standardization of post-quantum cryptosystems, i.e., cryptosys-tems that are resistant to attacks by both traditional and quantum computers and that can thus substitute the traditional public-key cryptography solutions which are expected to be broken by quantum computers in the next decades. This manuscript provides an overview and a comparison of the existing state-of-the-art implementations of the BIKE QC-MDPC code-based post-quantum KEM, a candidate in NIST's PQC standardization process. We consider both software, hardware, and mixed hardware-software implementations and evaluate their performance and, for hardware ones, their resource utilization. Traditional public-key cryptosystems (PKC), including RSA [27], ECDSA [6], and Diffie-Hellman [11], underpin cryptographically secure key exchange mechanisms and digital signature schemes. Such cryptoschemes are however expected to be broken by quantum computers in the upcoming decades [23]. The threat posed by quantum computers requires the definition and the design of alternative cryptosystems that perform the same functions as PKC ones, maintaining security against traditional computer attacks while ensuring security against quantum computer attacks. Post-quantum cryptography (PQC) aims to develop cryptosystems that are resistant to both traditional attacks and new quantum attack models, which can be implemented on traditional architecture computers and existing devices, and that can be integrated into the networks and communication protocols currently in use [7].

... In 1986, Niederreiter proposed a dual-variant of the McEliece scheme [Nie86]: In his version, a parity check matrix H ∈ F (n−k)×n 2 is used as public key and the sender encodes the message as an error vector e ∈ F n 2 of weight t and encrypts it to a ciphertext c ∈ F n−k 2 as the syndrome c = He. Again, the receiver uses the secret code structure in order to recover the error positions in the syndrome and hence the plaintext. ...

We present the first specification-compliant constant-time FPGA implementation of the Classic McEliece cryptosystem from the third-round of NIST’s Post-Quantum Cryptography standardization process. In particular, we present the first complete implementation including encapsulation and decapsulation modules as well as key generation with seed expansion. All the hardware modules are parametrizable, at compile time, with security level and performance parameters. As the most time consuming operation of Classic McEliece is the systemization of the public key matrix during key generation, we present and evaluate three new algorithms that can be used for systemization while complying with the specification: hybrid early-abort systemizer (HEA), single-pass early-abort systemizer (SPEA), and dual-pass earlyabort systemizer (DPEA). All of the designs outperform the prior systemizer designs for Classic McEliece by 2.2x to 2.6x in average runtime and by 1.7x to 2.4x in time-area efficiency. We show that our complete Classic McEliece design for example can perform key generation in 5.2 ms to 20 ms, encapsulation in 0.1 ms to 0.5 ms, and decapsulation in 0.7 ms to 1.5 ms for all security levels on an Xlilinx Artix 7 FPGA. The performance can be increased even further at the cost of resources by increasing the level of parallelization using the performance parameters of our design.

... (A brief history of early code-based cryptography) McEliece first presented code-based cryptosystems using binary Goppa codes in 1978 [37]. In 1986, Niederreiter proposed a knapsack-type public-key cryptosystem based on error-correction codes using GRS codes [42]. Subsequently, the Niederreiter method was demonstrated to be as secure as the McElice cryptosystem. ...

Modern societies have adopted government-issued fiat currencies many of which exist today mainly in the form of digits in credit and bank accounts. Fiat currencies are controlled by central banks for economic stimulation and stabilization. Boom-and-bust cycles are created. The volatility of the cycle has become increasingly extreme. Social inequality due to the concentration of wealth is prevalent worldwide. As such, restoring sound money, which provides stored value over time, has become a pressing issue. Currently, cryptocurrencies such as Bitcoin are in their infancy and may someday qualify as sound money. Bitcoin today is considered as a digital asset for storing value. But Bitcoin has problems. The first issue of the current Bitcoin network is its high energy consumption consensus mechanism. The second is the cryptographic primitives which are unsafe against post-quantum (PQ) attacks. We aim to propose Green Bitcoin which addresses both issues. To save energy in consensus mechanism, we introduce a post-quantum secure (self-election) verifiable coin-toss function and novel PQ secure proof-of-computation primitives. It is expected to reduce the rate of energy consumption more than 90 percent of the current Bitcoin network. The elliptic curve cryptography will be replaced with PQ-safe versions. The Green Bitcoin protocol will help Bitcoin evolve into a post-quantum secure network.

... BIKE is a post-quantum KEM based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes [2]. These codes are used in a scheme similar to that first proposed by Niederreiter [24]. BIKE distinguishes itself for its good trade-off between ciphertext and key lengths and performance, making it a good candidate for standardization after the fourth round [22]. ...

NIST is conducting a process for the standardization of post-quantum cryptosystems, i.e., cryptosystems that are resistant to attacks by both traditional and quantum computers and that can thus substitute the traditional public-key cryptography solutions which are expected to be broken by quantum computers in the next decades. This manuscript provides an overview and a comparison of the existing state-of-the-art implementations of the BIKE QC-MDPC code-based post-quantum KEM, a candidate in NIST's PQC standardization process. We consider both software, hardware, and mixed hardware-software implementations and evaluate their performance and, for hardware ones, their resource utilization.

... Класичний McEliece -це схема транспортування ключів на основі коду, заснована на варіанті Niederreiter [16] схеми шифрування McEliece [17], створеному за допомогою двійкових кодів Гоппи. Оригінальна криптосистема McEliece була представлена ще в 1978 році, тому вона має довгу історію незламування порівняно з іншими постквантовими криптосистемами. ...

Virtually all asymmetric cryptographic schemes currently in use are threatened by the potential development of powerful quantum computers. Although there is currently no definite answer and it is very unclear when or even if CRQC will ever be built and the gap between modern quantum computers and the envisioned CRQC is huge, the risk of creating CRQC means that currently deployed public key cryptography must be replaced by quantum-resistant ones alternatives. For example, information encrypted using modern public key cryptography can be recorded by cryptanalysts and then attacked if a QRQC can be created. The potential harm that CRQC could cause is the basis of the motivation to seek countermeasures, even though we have uncertainties about when and if these computers can be built. Deployed systems that use public key cryptography can also take years to update. Post-quantum cryptography is one way to combat quantum computer threats. Its security is based on the complexity of mathematical problems that are currently considered unsolvable efficiently – even with the help of quantum computers. Post-quantum cryptography deals with the development and research of asymmetric cryptosystems, which, according to current knowledge, cannot be broken even by powerful quantum computers. These methods are based on mathematical problems for the solution of which neither efficient classical algorithms nor efficient quantum algorithms are known today. Various approaches to the implementation of post-quantum cryptography are used in modern research, including: code-based cryptography, lattice-based cryptography, hashing-based cryptography, isogeny-based cryptography, and multidimensional cryptography. The purpose of this work is to review the computational model of quantum computers; quantum algorithms, which have the greatest impact on modern cryptography; the risk of creating cryptographically relevant quantum computers (CRQC); security of symmetric cryptography and public key cryptography in the presence of CRQC; NIST PQC standardization efforts; transition to quantum-resistant public-key cryptography; relevance, views and current state of development of quantum-resistant cryptography in the European Union. It also highlights the progress of the most important effort in the field: NIST's standardization of post-quantum cryptography.

... Although the security of codebased cryptography is related to the fact from the complexity theory that syndrome decoding in an arbitrary linear code is difficult, most known code-based cryptosystems typically use codes with special algebraic structures that allowefficient syndrome decoding, and the designers mainly focus on finding appropriate tricks (usually without theoretical guarantees) to hide the structures of those codes (Bucerzan et al., 2017). A wellknown variant of the McEliece cryptosystem is the so-called Niederreiter cryptosystem (Niederreiter, 1986). However, both cryptosystems are equivalent in term of security when employing the same code (Li et al., 1994). ...

Due to developments within the field of quantum computers, the need for developing and implementing quantum-resistant cryptographic (post-quantum cryptography) algorithms has become more urgent. The security of current public-key cryptosystems relies on the hardness of factoring large integers or solving discrete logarithm problems. However, these mathematical problems can be solved in polynomial time (efficiently) using a quantum computer. In response, there has been intense research into post-quantum cryptography. This science is the study of cryptosystems that would be secure against adversaries who have both quantum and classical computers and that can be deployed without drastic changes to existing communication networks and protocols. This paper gives an overview of the current state of the art of the alternative public-key schemes that have the capability to resist quantum computer attacks and consider their main
characteristics.

... To tackle this problem, various improvements have been proposed one after another. In general, these variants can be divided into two categories: one is to replace Goppa codes with other Hamming metric codes [1,4,23,31], the other is to use codes endowed with other metric [2,22]. ...

This paper presents a key recovery attack on a rank metric based cryptosystem proposed by Lau and Tan at ACISP 2018, which uses Gabidulin codes as the underlying decodable code. This attack is shown to cost polynomial time and therefore completely breaks the cryptosystem. Specifically, we convert the problem of recovering the private key into solving a multivariate linear system over the base field. We then present a simple repair for this scheme, which is shown to require exponential complexity for the proposed attack. Additionally, we apply this attack to cryptanalyze another Gabidulin code based cryptosystem proposed by Loidreau at PQCrypto 2017, and improve Loidreau’s result in a talk at CBCrypto 2021.KeywordsPost-quantum cryptographyCode-based cryptographyGabidulin codesKey recovery attack

Code-based cryptography has received a lot of attention recently because it is considered secure under quantum computing. Among them, the QC-MDPC based scheme is one of the most promising due to its excellent performance. QC-MDPC based schemes are usually subject to a small rate of decryption failure, which can leak information about the secret key. This raises two crucial problems: how to accurately estimate the decryption failure rate and how to use the failure information to recover the secret key. However, the two problems are challenging due to the difficulty of geometrically characterizing the bit-flipping decoder employed in QC-MDPC, such as using decoding radius.In this work, we introduce the gathering property and show it is strongly connected with the decryption failure rate of QC-MDPC. Based on this property, we present two results for QC-MDPC based schemes. The first is a new construction of weak keys obtained by extending the keys that have gathering property via ring isomorphism. For the set of weak keys, we present a rigorous analysis of the probability, as well as experimental simulation of the decryption failure rates. Considering BIKE’s parameter set targeting 128-bit security, our result eventually indicates that the average decryption failure rate is lower bounded by \(\text {DFR}_{\text {avg}} \ge 2^{-116.61}\). The second entails two key recovery attacks against CCA secure QC-MDPC schemes using decryption failures in a multi-target setting. The two attacks consider whether or not it is allowed to reuse ciphertexts respectively. In both cases, we show the decryption failures can be used to identify whether a target’s secret key satisfies the gathering property. Then using the gathering property as an extra information, we present a modified information set decoding algorithm that efficiently retrieves the target’s secret key. For BIKE’s parameter set targeting 128-bit security, we show a key recovery attack with complexity \(2^{116.61}\) can be mounted if ciphertexts reusing is not permitted, and the complexity can be reduced to \(2^{98.77}\) when ciphertexts reusing is permitted.KeywordsPost-quantum cryptographyCode-based cryptographyDecryption failureBIKEQC-MDPCInformation set decoding

Code-based cryptography is a candidate for post-quantum cryptography and the security of code-based cryptosystems relate to the hardness of the syndrome decoding problem. The Information Set Decoding (ISD) algorithm initiated by Prange is a typical method for solving the syndrome decoding problem. Various methods have been proposed that make use of exponentially large lists to accelerate the ISD algorithm. Furthermore, Bernstein (PQCrypto 2010) and Kachigar and Tillich (PQCrypto 2017) applied Grover’s algorithm and quantum walks to obtain quantum ISD algorithms that are much faster than their classical ones. These quantum ISD algorithms also require exponentially large lists as the classical algorithms, and they must be kept in quantum states. In this paper, we propose a new quantum ISD algorithm by combining Both and May’s classical ISD algorithm (PQcrypto 2018), Grover’s algorithm, and Kirshanova’s quantum walk (PQCrypto 2018). The proposed algorithm keeps an exponentially large list in the quantum state just like the existing quantum ISD algorithms, but the list size is much smaller. Although the proposed algorithm is slower than the existing algorithms when there is sufficient quantum memory, it is fastest when the amount of quantum memory is limited. Due to the property, we believe that our algorithm will be the fastest ISD algorithm in actual quantum computing since large-scale quantum computers seem hard to realize.Keywordscode-based cryptographysyndrome decoding probleminformation set decodingquantum algorithm

The security of most code-based cryptosystems relies on the hardness of the syndrome decoding (SD) problem. The best solvers of the SD problem are known as information set decoding (ISD) algorithms. Recently, Weger, et al. (2020) described Stern’s ISD algorithm, s-blocks algorithm and partial Gaussian elimination algorithms in the Lee metric over an integer residue ring \({{\boldsymbol{Z}}_{{p^m}}}\), where p is a prime number and m is a positive integer, and analyzed the time complexity. In this paper, the authors apply a binary ISD algorithm in the Hamming metric proposed by May, et al. (2011) to solve the SD problem over the Galois ring GR(pm, k) endowed with the Lee metric and provide a detailed complexity analysis. Compared with Stern’s algorithm over \({{\boldsymbol{Z}}_{{p^m}}}\) in the Lee metric, the proposed algorithm has a significant improvement in the time complexity.

As the development of quantum machines is booming and would threaten our standard cryptography algorithms, a transition period is necessary for the protection of the data processed by our classical machines as well before the arrival of theses machines as after.Recently, to get ahead of the curve, the National Institute of Standards and Technology (NIST) launched the Post Quantum Cryptography Standardization Project, started since late 2016. Among finalists, 3 promising code-theoretic finalist candidates, Classic McEliece, BIKE, and HQC are sent to the fourth round.In this work, to reduce classical McEliece key size without loss of security, we present a new key generation algorithm by introducing new family of codes called quasi-centrosymmetric Goppa codes with a moderate key size for storage optimisation. We also have characterized these codes in the case where the parity matrix is in Cauchy form by giving an algorithm to build them. We ended up giving a detailed analysis of the security against the most known structural attacks by giving the new complexities.KeywordsPost-quantum CryptographyCoding-based CryptographyGoppa CodeMcElieceQuasi-CentrosymmetricClassic McEliece

The rapid development of quantum computing devices promises powerful machines with capabilities that solve a wide range of problems that traditional computers cannot. Therefore, quantum computers generate new threats at unprecedented speed and scale and specifically pose an enormous threat to encryption. Lattice-based cryptography is considered to be the rival to a quantum computer attack and the future of post-quantum cryptography. So, cryptographic protocols based on lattices have a variety of benefits, like security, efficiency, lower energy consumption, and speed. In this work, we study the most well-known lattice-based cryptosystems while a systematic evaluation and comparison is presented also, and focuses on their strengths and weaknesses.

Recently, F. Ivanov, E. Krouk and V. Zyablov proposed new cryptosystem based of Generalized Reed–Solomon (GRS) codes over field extensions. In their approach, the subfield images of GRS codes are masked by a special transform, so that the resulting public codes are not equivalent to subfield images of GRS code but burst errors still can be decoded. In this paper, we show that the complexity of message–recovery attack on this cryptosystem can be reduced due to using burst errors, and the secret key of Ivanov–Krouk–Zyablov cryptosystem can successfully recovered in polynomial time with a linear–algebra based attack and a square–based attack.KeywordsCode–based cryptographyGRS codesField extensionsSubspace subcodesProjected codesInformation–set decodingKey–recovery attack

We present a key-recovery fault injection attack on the Classic McEliece Key Encapsulation Mechanism (KEM). The fault injections target the error-locator polynomial of the Goppa code and the validity checks in the decryption algorithm, making a chosen ciphertext attack possible. Faulty decryption outputs are used to generate a system of polynomial equations in the secret support elements of the Goppa code. After solving the equations, we can determine a suitable Goppa polynomial and form an alternative secret key. To demonstrate the feasibility of the attack on hardware, we simulate the fault injections on virtual prototypes of two RISC-V cores at register-transfer level.KeywordsPost-Quantum CryptographyKey RecoveryFault AttackLaser Fault InjectionsClassic McElieceKey Encapsulation Mechanism

In this work, we present a configurable and side channel resistant implementation of the post-quantum key-exchange algorithm CRYSTALS-Kyber . The implemented design can be configured for different performance and area requirements leading to different trade-offs for different applications. A low area implementation can be achieved in 5269 LUTs and 2422 FFs, whereas a high performance implementation required 7151 LUTs and 3730 FFs. Due to a deeply pipelined architecture, a high operating speed of more than 250 MHz could be achieved on 28nm Xilinx FPGAs. The side channel resistance is implemented using a carefully chosen set of novel and known techniques such as Fault Detection Hashes, Instruction Randomization, FSM Protection etc. resulting in a low overhead of less than \(5\% \) while being highly configurable. To the best of our knowledge, this work presents the first side-channel and fault attack protected configurable accelerator for CRYSTALS-Kyber . Using TVLA (test vector leakage assessment), we validate the implemented protection techniques and demonstrate that the design does not leak information even after 200K traces. Furthermore, one of the configuration choices results in the smallest hardware implementation of CRYSTALS-Kyber known in literature.

Security mechanisms of Electronic Personal Documents (eCards) depend on (asymmetric) cryptography that is and always has been subject to the threat of compromise, be it from conventional attacks or Quantum Computers (QC). With Post-Quantum Cryptography (PQC) we now have alternative building blocks at hand that can be leveraged to protect against both kind of attacks. Thus, PQC should be incorporated into eCard ecosystems, yet it is not clear how this is done best. In the work at hand we review the state of currently used crypto-systems for eCard security, as well as their possible quantum-secure replacements. Further, we identify and categorize respective challenges that need to be addressed, present and assess existing approaches for their solution, and formulate research questions for open issues. By providing an overview of the situation, we help unraveling the issue, and pave the way towards quantum-safe electronic Identity Documents (eIDs) and electronic Machine-Readable Travel Documents (eMRTDs).

The maximum likelihood decoding problem (MLD) is known to be NP-hard and its complexity is strictly related to the security of some post-quantum cryptosystems, that is, the so-called code-based primitives. Analogously, the multivariate quadratic system problem (MQ) is NP-hard and its complexity is necessary for the security of the so-called multivariate-based primitives. In this paper we present a closed formula for a polynomial-time reduction from any instance of MLD to an instance of MQ, and viceversa. We also show a polynomial-time isomorphism between MQ and MLD, thus demonstrating the direct link between the two post-quantum cryptographic families.

Cryptography is used to protect sensitive information, but it is also required in many applications to ensure secure functionality and availability. The 100-year-old principles of physics are becoming industrially controllable, which leads to the era of the industrial quantum revolution. Products and applications such as quantum sensors, quantum simulators, quantum computers, and quantum cryptography are developing, which will affect the design of secure cryptographic systems. Post-quantum cryptography is a new field of research developing parallel to the progress in quantum technologies. Post-quantum cryptography deals with the development and investigation of algorithms that are assumed to be unbreakable even with quantum computers. This chapter will discuss the quantum and post-quantum cryptographic algorithms in detail and the migration strategies from classical asymmetric algorithms to post-quantum algorithms. This chapter also discusses the finance organization's readiness and recommendation for the replacement of vulnerable asymmetric algorithms with post-quantum algorithms.

The minimum distance of a linear code is a key concept in information theory. Therefore, the time required by its computation is very important to many problems in this area. In this paper, we introduce a family of implementations of the Brouwer-Zimmermann algorithm for distributed-memory architectures for computing the minimum distance of a random linear code over \(\mathbb {F}_{2} \) . Both current commercial and public-domain software only work on either unicore architectures or shared-memory architectures, which are limited in the number of cores/processors employed in the computation. Our implementations focus on distributed-memory architectures, thus being able to employ hundreds or even thousands of cores in the computation of the minimum distance. Our experimental results show that our implementations are much faster, even up to several orders of magnitude, than current implementations widely used nowadays.

In this paper, we investigate the practical performance of rank-code based cryptography on FPGA platforms by presenting a case study on the quantum-safe KEM scheme based on LRPC codes called ROLLO, which was among NIST post-quantum cryptography standardization round-2 candidates. Specifically, we present an FPGA implementation of the encapsulation and decapsulation operations of the ROLLO KEM scheme with some variations to the original specification. The design is fully parameterized, using code-generation scripts to support a wide range of parameter choices for security levels specified in ROLLO. At the core of the ROLLO hardware, we presented a generic approach for hardware-based Gaussian elimination, which can process both non-singular and singular matrices. Previous works on hardware-based Gaussian elimination can only process non-singular ones. However, a plethora of cryptosystems, for instance, quantum-safe key encapsulation mechanisms based on rank-metric codes, ROLLO and RQC, which are among NIST post-quantum cryptography standardization round-2 candidates, require performing Gaussian elimination for random matrices regardless of the singularity. To the best of our knowledge, this work is the first hardware implementation for rank-code-based cryptographic schemes. The experimental results suggest rank-code-based schemes can be highly efficient.

ResearchGate has not been able to resolve any references for this publication.