Method and Apparatus for Error Correcting Code Based Public Key Encryption Schemes

Abstract

This invention discloses a method and system for generating a private key and a corresponding public key. These keys can be used for encrypting a message into a ciphertext for transmission through an insecure communication channel, and for decrypting said ciphertext into a clear plaintext. The goal of the present invention is to provide encryption and decryption methods of the McEliece type which are capable of improving the security level of a post-quantum cryptosystem. In one embodiment, this object is achieved by three methods: a method for creating a public key from a private linear code generator matrix, a method for encrypting a message into a ciphertext and a method for decrypting the ciphertext into a plaintext. The key generation and encryption methods of the present invention comprises the following steps: selecting an [n, k] linear code generator matrix G.sub.s=[g.sub.0, . . . , g.sub.n] over GF(q) as the private key, where k, r, n and q are positive integers and where g.sub.0, . . . , g.sub.n1 are length k column vectors; selecting kr random matrices C.sub.0, . . . , C.sub.n1; selecting a kk non-singular matrix S; selecting an n(r+1)n(r+1) matrix A; selecting an n(r+1)n(r+1) permutation matrix P; and setting the public key as G=S[g.sub.0, C.sub.0, . . . , g.sub.n1, C.sub.n1]AP. receiving a public key G, which is a kn(r+1) matrix over a finite field GF(q); generating an error vector e having elements in GF(q) and having a predetermined weight t; and encrypting a message vector m to a ciphertext vector y=mG+e.
The main difference between the proposed cryptosystem and known variants of the McEliece cryptosystem consists in the way the private generator matrix is disguised into the public one by inserting and mixing random columns within the private generator matrix.

Claims

1. A method for generating a public key G and for generating a private key K from an error correcting code generator matrix G.sub.s, the method comprising: a) obtaining said kn generator matrix G.sub.s for an [n, k, d] linear code over a finite field GF(q), wherein n, k, d, q are positive integers; b) obtaining a kn(r+1) matrix G.sub.1 by inserting rn random columns into said matrix G.sub.s, wherein r is a positive integer; c) selecting a random kk non-singular matrix S; d) selecting a random n(r+1)n(r+1) non-singular matrix A; e) selecting a random n(r+1)n(r+1) permutation matrix P; f) computing said public key G=SG.sub.1AP; and g) obtaining said private key K=(S, G.sub.s, A, P).

2. The method of claim 1 wherein computing said kn(r+1) matrix G.sub.1 comprises: a) obtaining matrix columns g.sub.0, . . . , g.sub.n1 from said generator matrix G.sub.s; b) selecting random kr matrices C.sub.0, C.sub.1, . . . , C.sub.n1 where C.sub.0, C.sub.1, . . . , C.sub.n1 have elements in GF(q); and c) obtaining said kn(r+1) matrix G.sub.1=[g.sub.0, C.sub.0, g.sub.1, C.sub.1, . . . , g.sub.n1, C.sub.n1].

3. The method of claim 1 wherein selecting said non-singular matrix A comprises: a) selecting random (r+1)(r+1) matrices A.sub.0, A.sub.1, . . . , A.sub.n1 where A.sub.0, A.sub.1, . . . , A.sub.n1 have elements in GF(q); and b) obtaining said n(r+1)n(r+1) matrix $A=\left[\begin{array}{cccc}{A}_0& & & \\ & A_1& & \\ & & & \\ & & & A_{n-1}\end{array}\right].$

4. The method of claim 3 wherein said kn(r+1) matrix G.sub.1 is computed according to the method of claim 2.

5. A method for transmitting a message vector m between a sender and a receiver securely, the method comprising: a) at the receiver: obtaining a kn generator matrix G.sub.s for an [n, k, d] linear code over a finite field GF(q), wherein n, k, d, q, t are positive integers, and wherein a linear code generated by said generator matrix G.sub.s corrects at least t errors; calculating a kn(r+1) public key matrix G using said G.sub.s; sending said public key matrix G to said sender; and obtaining a private key K from said G.sub.s; b) at the sender: obtaining said integer n; obtaining said integer k, obtaining said integer d; obtaining said finite field GF(q); obtaining said message encryption public key G from said receiver; obtaining said message vector m having elements in GF(q); generating an error vector e where e has elements in GF(q), and where e has a predetermined weight t; computing a ciphertext vector y=mG+e; and sending said ciphertext vector y to the receiver; c) at the receiver: obtaining said ciphertext vector y from the sender; computing an inverse P.sup.1 of said permutation matrix P; computing an inverse A.sup.1 of said non-singular matrix A; computing an inverse S.sup.1 of said non-singular matrix S; computing a vector yP.sup.1 A.sup.1 having a length n(r+1); selecting a sub-vector y of said vector yP.sup.1 A.sup.1, where y has a length n; using said private generator matrix G.sub.s to decode said sub-vector y into a vector m, where m has a length k; computing said plaintext message m=m'S.sup.1; and checking a validity of said message m.

6. The method of claim 5 wherein said public key G and wherein said private key K are generated according to the method of claim 4.

7. The method of claim 6 wherein selecting said sub-vector y comprises: a) obtaining elements y.sub.0, . . . , y.sub.n(r+1)1 of said vector yP.sup.1 A.sup.1; and b) setting said sub-vector y=[y.sub.0, y.sub.r+1, . . . , y.sub.(n1)(r+1)].

8. The method of claim 7 wherein checking said validity of said message m comprises: a) computing a Hamming weight w=weight(ymG); and b) accepting said message m if wt.

9. The method of claim 8 wherein generating said error vector e comprises: a) computing a message authentication tag e=H(m) wherein H is a message authentication code algorithm; and b) computing said error vector e from said message authentication tag e.

10. The method of claim 8 wherein generating said error vector e comprises: a) selecting a second private message m; and b) computing said error vector e from said second message m.

11. The method of claim 10 wherein recovering said second message m from said ciphertext y comprises: a) computing said first message m using the method of claim 5; b) computing said error vector e=ymG; and c) computing said second message m from said error vector e.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0049] For a more complete understanding of the invention, reference is made to the following description and accompanying drawings, in which:

[0050] FIG. 1 is a schematic diagram illustrating a process according to an embodiment of the invention, showing steps taken for generating a private key and steps taken for generating a corresponding public key for a public key encryption scheme;

[0051] FIG. 2 is a schematic diagram illustrating a process according to an embodiment of the invention, showing steps taken for encrypting a message using a public key and steps taken for decrypting a cipher text using a corresponding private key; and

[0052] FIG. 3 is a schematic diagram illustrating a process according to an embodiment of the invention, showing steps taken for including a partial message within the error vector and steps taken for including a message authentication tag within the error vector.

DESCRIPTION OF INVENTION

[0053] In this invention, we will use q=2.sup.m or q=p.sup.m for a prime p and our discussion will be based on the field GF(q) through out this invention. Letters such as a, b, e, , g are used to denote row or column vectors over GF(q). It should be clear from the context whether a specific letter represents a row vector or a column vector.

[0054] The Random Linear Code based Encryption scheme RLCE of the present invention is described in the following paragraphs.

[0055] FIG. 1 describes a process for generating a private key and for generating a corresponding public key for the proposed public key encryption scheme. Referring therefore to FIG. 1, the public parameter selection engine 100 chooses n, k, d, t, r>0, and GF(q) with the property that nk+1d2t+1. The private linear code generator matrix selection engine 110 chooses a kn generator matrix C.sub.s=[g.sub.0, . . . , g.sub.n1] for an [n, k, d] linear code such that there is an efficient decoding algorithm to correct at least t errors for this linear code given by C.sub.s. Random matrix selection engine 120 chooses kr matrices C.sub.0, C.sub.1, . . . , C.sub.n1GF(q).sup.kr uniformly at random. Matrix column mixing engine 130 defines

G.sub.1=[g.sub.0,C.sub.0,g.sub.1,C.sub.1,g.sub.n1,C.sub.n1](2)

to be a kn(r+1) matrix by inserting random matrices C.sub.0, C.sub.1, . . . , C.sub.n1 into G.sub.s. The second random matrix selection engine 140 chooses dense nonsingular (r+1)(r+1) matrices A.sub.0, . . . , A.sub.n1GF(q).sup.(r+1)(r+1) uniformly at random and defines

[00003]$\begin{array}{cc}A=\left[\begin{array}{cccc}{A}_0& & & \\ & A_1& & \\ & & & \\ & & & A_{n-1}\end{array}\right]& \left(3\right)\end{array}$

to be an n(r+1)n(r+1) nonsingular matrix. The engine 140 also chooses a random dense kk nonsingular matrix S and chooses a random n(r+1)n(r+1) permutation matrix P. The public key 160 is the kn(r+1) matrix G=SG.sub.1AP and the private key 150 is the tuple (S, G.sub.s, P, A).

[0056] FIG. 2 describes a process for encrypting a clear text message using the public key 160 and a process for decrypting a ciphertext to a clear text message using the private key 150. Referring therefore to FIG. 2, for given public parameters n,k,d,t,r,GF(q), a public key G, and a row message vector mGF(q).sup.k in the box 200, the encryption engine 210 chooses a random row vector e=[e.sub.0, . . . , e.sub.n(r+1)1]GF(q).sup.n(r+1) whose Hamming weight is at most t and computes the cipher text as y=mG+e.

[0057] The receiver 310 holds the private key S, G.sub.s, A, P and receives the ciphertext y. For the received cipher text y [y.sub.0, . . . , y.sub.n(r+1)1], the decryption engine 320 computes

[00004]$\begin{array}{cc}{\mathrm{yP}}^{-1}.Math.A^{-1}=\left[y_0^{},\mathrm{.Math.}.Math.,y_{n\left(r+1\right)-1}^{}\right]={\mathrm{mSG}}_1+{\mathrm{eP}}^{-1}.Math.A^{-1}& \left(4\right)\\ \mathrm{where}.Math..Math.A^{-1}=\left[\begin{array}{cccc}{A}_0^{-1}& & & \\ & A_1^{-1}& & \\ & & & \\ & & & A_{n-1}^{-1}\end{array}\right]& \end{array}$

Let y=[y.sub.0, y.sub.r+1, . . . , y.sub.(n1)(r+1)] be a length n row vector selected from the length n(r+1) row vector yP.sup.1 A.sup.1. Then y=mSG.sub.s+e for some error vector eGF(q).sup.n. Let e=eP.sup.1=[e.sub.0, . . . , e.sub.n(r+1)1] and e.sub.i=[e.sub.i(r+1), . . . , e.sub.i(r+1)+r] be a sub-vector of e for in1. Then e[i] is the first element of e.sub.iA.sub.i.sup.1. Thus e [i]0 only if e.sub.i is non-zero. Since there are at most t non-zero sub-vectors e, the Hamming weight of eGF(q).sup.n is at most t. Using the efficient decoding algorithm, the receiver computes m=mS and m=mS.sup.1. Finally, the receiver calculates the Hamming weight w=weight(ymG). If wt then the decryption engine 320 outputs m as the decrypted plaintext. Otherwise, the decryption engine 320 outputs an error.

[0058] Comment 1. In the design of RLCE scheme, the permutation matrix P has two purposes. The first purpose is to hide the supports of the underlying encoding scheme generator matrix (this is necessary if the supports of the underlying encoding scheme are unknown). The second purpose is to hide the positions and combinations of the column vectors g.sub.i and C.sub.i.

[0059] Comment 2. In the RLCE decryption process, the receiver checks whether the Hamming weight w=weight(ymG) is smaller than t. This step is used to defeat chosen ciphertext attacks (CCA). In a CCA attack, an adversary gives a random vector y=[y.sub.0, . . . , y.sub.n(r+1)1] (which is not a valid ciphertext) to the decryption oracle to learn a decrypted value. This decrypted value could be used to obtain certain information about the private generator matrix G.sub.s. Alternatively, one may use an appropriate padding scheme to pad a message before encryption. For example, one may use the hash output (or a message authentication tag) as the error vector for the encryption process. Then it is sufficient for the decryption process to verify whether the decrypted message has the correct padding strings to defeat the CCA attacks.

[0060] We first use the following theorem to show that any single column of the underlying generator matrix G could be completely randomized in a RLCE public key G.

Theorem 0.0.1 Let G.sub.s=[g.sub.0, . . . , g.sub.n1]GF(q).sup.k(n1) be a linear code generator matrix. For any randomly chosen full rank k(r+1) matrix R.sub.0GF(g).sup.k(r+1), there exists a kk nonsingular matrix S, a (r+1)(r+1) matrix A.sub.0, and a kr matrix C.sub.0GF(g).sup.kr such that

R.sub.0=S[g.sub.0,C.sub.0]A.sub.0(5)

[0061] Proof.

[0062] By the fundamental properties of matrix equivalence, for two mn matrices A, B of the same rank, there exist invertible mm matrix P and nn invertible matrix Q such that A=PBQ. The theorem could be proved using this property and the details are omitted here.

[0063] Let R=[R.sub.0, . . . , R.sub.n1]GF(q).sup.kn(r+1) be a fixed random linear code generator matrix. Theorem 0.0.1 shows that for any generator matrix G.sub.s (e.g., a Reed-Solomon code generator matrix), we can choose matrices S and A.sub.0 so that the first r+1 columns of the RLCE scheme public key G (constructed from G.sub.s) are identical to R.sub.0. However, we cannot use Theorem 0.0.1 to continue the process of choosing A.sub.1, . . . , A.sub.n1 to obtain G=R since S is fixed after A.sub.0 is chosen. Indeed, it is straightforward to show that one can use Theorem 0.0.1 to continue the process of choosing A.sub.1, . . . , A.sub.n1 to obtain G=R if and only if there exists a kk nonsingular matrix S such that, for each in1, the vector Sg.sub.i lies in the linear space generated by the column vectors of R.sub.i. A corollary of this observation is that if R.sub.i generates the full k dimensional space, then each linear code could have any random matrix as its RLCE public key.

[0064] Theorem 0.0.2 Let R=[R.sub.0, . . . , R.sub.n1]GF(g).sup.kn (r+1) and G.sub.s=[g.sub.0, . . . , g.sub.n1] GF(g).sup.kn be two fixed MDS linear code generator matrices. If r+1k, then there exist A.sub.0, . . . , A.sub.n1GF(g).sup.(r+1)(r+1) and C.sub.0, . . . , C.sub.n1GF(g).sup.kr such that R=[g.sub.0, C.sub.0, . . . , g.sub.n1, C.sub.n1]A where A is in the format of (3).

[0065] Proof. Without loss of generality, we may assume that r=k1. For each 0in1, choose a random matrix C.sub.iGF(g).sup.kr such that G.sub.i=[g.sub.i, C.sub.i] is an kk invertible matrix.

[0066] The above Theorem 0.0.2 shows that in the RLCE scheme, we must have r<k1. Otherwise, for a given public key GGF(g).sup.kn(r+1), the adversary can choose a Reed-Solomon code generator matrix G.sub.sGF(g).sup.kn and compute A.sub.0, . . . , A.sub.n1GF(q).sup.rr and C.sub.0, . . . , C.sub.n1GF(g).sup.kr such that G=[g.sub.0, C.sub.0, . . . , g.sub.n1, C.sub.n1]A. In other words, the adversary can use the decryption algorithm corresponding to the generator matrix G.sub.s to break the RLCE scheme.

[0067] Theorem 0.0.2 also implies an efficient decryption algorithm for random [n, k] linear codes with sufficiently small t of errors. Specifically, for an [n, k] linear code with generator matrix RGF(g).sup.kn, if

[00005]$t\frac{n-k^2}{2.Math..Math.k},$

then one can divide R into m=2t+k blocks R=[R.sub.0, . . . , R.sub.m1]. Theorem 0.0.2 can then be applied to construct an equivalent [m, k] Reed-Solomon code with generator matrix G.sub.sGF(g).sup.km. Thus it is sufficient to decrypt the equivalent Reed-Solomon code instead of the original random linear code. For McEliece based encryption scheme, Bernstein, Lange, and Peters (2008) recommends the use of 0.75 (=k/n) as the code rate. Thus Theorem 0.0.2 has no threat on these schemes.

[0068] For

[00006]$t\frac{n-k^2}{2.Math..Math.k},$

the adversary is guaranteed to succeed in breaking the system. Since multiple errors might be located within the same block R.sub.i with certain probability. For a given t that is slightly larger than

[00007]$\frac{n-k^2}{2.Math..Math.k},$

the adversary still has a good chance to break the system using the above approach. It is recommended that t is significantly larger than

[00008]$\frac{n-k^2}{2.Math..Math.k}.$

For the RLCE scheme, this means that r should be significantly smaller than k. This is normally true since k is very larger for secure RLCE schemes.

[0069] In following paragraphs, we list heuristic and experimental evidences that the RLCE public key G shares the properties of random linear codes. We believe that the security of the RLCE scheme is equivalent to decoding a random linear code.

[0070] We first show that certain information about the private generator matrix G.sub.s is leaked if the decryption process does neither include padding scheme validation nor include ciphertext correctness validation. However, it is not clear whether this kind of information leakage would help the adversary to break the RLCE encryption scheme. We illustrate this using the parameter r=1.

[0071] Assume that G.sub.1=[g.sub.0, r.sub.0, g.sub.1, r.sub.1, . . . , g.sub.n1, r.sub.n1] and G=SG.sub.1AP. The adversary chooses a random vector y=[y.sub.0, . . . , y.sub.2n1]GF(q).sup.2n1 and gives it to the decryption oracle which outputs a vector GF(q).sup.k. Let yP.sup.1 A.sup.1=[y.sub.0, . . . , y.sub.2n1] and

[00009]$A_i=\left[\begin{array}{cc}{a}_{i,00}& a_{i,01}\\ a_{i,10}& a_{i,11}\end{array}\right].$

Then we have

[00010]$\begin{array}{cc}\begin{array}{c}\mathrm{xG}-y=.Math.\mathrm{xS}\left[g_0,r_0,g_1,r_1,\mathrm{.Math.}.Math.,g_{n-1},r_{n-1}\right].Math.\mathrm{AP}-y\\ =.Math.[.Math.\mathrm{.Math.}.Math.,\mathrm{xS}\left[g_i,r_i\right].Math.A_i,\mathrm{.Math.}.Math.].Math.P-y\\ =.Math.[.Math.\mathrm{.Math.}.Math.,\left[y_{2.Math.i}^{},{\mathrm{xSr}}_i\right].Math.A_i,\mathrm{.Math.}.Math.].Math.P+e-y\\ =.Math.[.Math.\mathrm{.Math.}.Math.,\left[y_{2.Math.i}^{},y_{2.Math.i+1}^{}\right].Math.A_i,\mathrm{.Math.}.Math.].Math.P+\\ .Math.[.Math.\mathrm{.Math.}.Math.,\left[0,{\mathrm{xSr}}_i-y_{2.Math.i+1}^{}\right].Math.A_i,\mathrm{.Math.}.Math.].Math.P+e-y\\ =.Math.y+[.Math.\mathrm{.Math.}.Math.,\left[0,{\mathrm{xSr}}_i-y_{2.Math.i+1}^{}\right].Math.A_i,\mathrm{.Math.}.Math.].Math.P+e-y\\ =.Math.[.Math.\mathrm{.Math.}.Math.,\left[{\mathrm{xSr}}_i-y_{2.Math.i+1}^{}\right).Math.a_{i,10},\\ .Math.\left({\mathrm{xSr}}_i-y_{2.Math.i+1}^{}\right).Math.a_{i,11}],\mathrm{.Math.}.Math.].Math.P+e\end{array}& \left(6\right)\end{array}$

where e is a row vector of Hamming weight at most t. From the identity (6), one can calculate a list of potential values for c.sub.i=a.sub.i,10/a.sub.i,11. The size of this list is (.sup.2n.sub.2). For each value in this list, one obtains the corresponding two column vectors [.sub.0, .sub.1]=S[g.sub.i, r.sub.i]A.sub.i from the public key G. Then one has

[00011]$\begin{array}{cc}\left[f_0,f_1\right]\left[\begin{array}{cc}1& 0\\ -c_i& 1\end{array}\right]=S\left[g_i,r_i\right]\left[\begin{array}{cc}{a}_{i,00}& a_{i,01}\\ c_i.Math.a_{i,11}& a_{i,11}\end{array}\right]\left[\begin{array}{cc}1& 0\\ -c_i& 1\end{array}\right]=S\left[g_i,r_i\right]\left[\begin{array}{cc}{a}_{i,00}-c_i.Math.a_{i,01}& a_{i,01}\\ 0& a_{i,11}\end{array}\right]& \left(7\right)\end{array}$

That is, .sub.0c.sub.i.sub.1=(a.sub.i,00c.sub.ia.sub.i,01)Sg.sub.i. Thus, for each candidate permutation matrix P, one can calculate a matrix SG.sub.sB where B=diag[a.sub.0,00c.sub.0a.sub.0,01, . . . , a.sub.n1,00c.sub.n1a.sub.n1,01] is an nn diagonal matrix with unknown diagonal elements a.sub.0,00c.sub.0a.sub.0,01, and a.sub.n1,00c.sub.n1a.sub.n1,01.

[0072] On the other hand, for each ciphertext y=[y.sub.0, . . . , y.sub.2n1]GF(q).sup.2n1, let yP.sup.1=[z.sub.0, z.sub.1, . . . , z.sub.2n1]. The codeword corresponding to the secret generator matrix SG.sub.s is [y.sub.0, y.sub.2, . . . , y.sub.2n2] where yP.sup.1 A.sup.1=[y.sub.0, . . . , y.sub.2n1]. By the fact that

[00012]$\left[y_{2.Math.i}^{},y_{2.Math.i+1}^{}\right]=\left[z_{2.Math.i},z_{2.Math.i+1}\right].Math.A_i^{-1}=\frac{1}{.Math.A_i.Math.}\left[z_{2.Math.i},z_{2.Math.i+1}\right]\left[\begin{array}{cc}{a}_{i,11}& -a_{i,01}\\ -c_i.Math.a_{i,11}& a_{i,00}\end{array}\right],$

one has

[00013]$y_{2.Math.i}^{}=\frac{a_{i,11}}{.Math.A_i.Math.}.Math.\left(z_{2.Math.i}-c_i.Math.z_{2.Math.i+1}\right).$

For each candidate permutation matrix P, one first chooses k independent messages .sub.0, . . . , .sub.k1 and calculates the corresponding k independent ciphertexts y.sub.0, . . . , y.sub.k1. Using P and the above mentioned technique, one obtains a generator matrix

[00014]$G_a=S^{}.Math.G_s.Math.\mathrm{diag}\left[\frac{a_{0,11}}{.Math.A_0.Math.},\mathrm{.Math.}.Math.,\frac{a_{n-1,11}}{.Math.A_{n-1}.Math.}\right].$

Thus in order to decode a ciphertext y, it is sufficient to decode the error correcting code given by the generator matrix G.sub.a. This task becomes feasible for certain codes. For example, this task is equivalent to the problem of attacking a generalized Reed-Solomon code based McElience encryption scheme if G.sub.s generates a generalized Reed-Solomon code.

[0073] In order for the attacks in the preceding paragraphs to work, the adversary needs to have the knowledge of the permutation matrix P. Since the number of candidate permutation matrices P is huge, this kind of attacks is still infeasible in practice.

[0074] Niederreiter's scheme and Sidelnikov-Shestakov's attack: Sidelnikov and Shestakov's cryptanalysis technique (1992) was used to analyze Niederreiter's scheme which is based on generalized Reed-Solomon codes. Let =(.sub.0, . . . , .sub.n1) be n distinct elements of GF(q) and let =(.sub.0, . . . , .sub.n1) be nonzero (not necessarily distinct) elements of GF(q). The generalized Reed-Solomon (GRS) code of dimension k, denoted by GRS.sub.k(,), is defined by the following subspace.

GRS.sub.k(,)={(.sub.0(.sub.0), . . . ,.sub.n1(.sub.n1)):()GF(q)[].sub.k)}

where GF(q)[].sub.k is the set of polynomials in GF(q)[] of degree less than k. Alternatively, we can interpret GF(q)[].sub.k as a vector space of dimension k over GF(q). For each code word c=(.sub.0(.sub.0), . . . , .sub.n1(.sub.n1)), ()=.sub.0+.sub.1+ . . . +.sub.k1.sup.k1 is called the associate polynomial of the code word c that encodes the message (.sub.0, . . . , .sub.k1). GRS.sub.k (, ) is an [n, k, d] MDS code where d=nk+1.

[0075] Niederreiter's scheme (1986) replaces the binary Goppa codes in McEliece scheme using GRS codes as follows. For given security parameters n and k, one first chooses GRS code parameters and . Let G be the kn generator matrix for this GRS code. Choose a random kk nonsingular matrix S over GF(q) and the public key is G=SG and

[00015]$t=.Math.\frac{n-k}{2}.Math..$

G linear code with the same rate and minimum distance as the code generated by G. The encryption and decryption process are the same as in the original McEliece scheme.

[0076] The best attack on Niederreiter scheme is presented by Sidelnikov and Shestakov (1992). In Sidelnikov-Shestakov attack, one recovers an equivalent private key (, ) from a public key G for the code GRS.sub.k (, ) as follows. For the given public key G, one first computes the systematic form E(G)=[II G] (also called echelon form) using Gaussian elimination. An equation system is then constructed from E(G) to recover a decryption key.

[00016]$\begin{array}{cc}E\left(G^{}\right)=\left(\begin{array}{ccccccc}1& 0& \mathrm{.Math.}& 0& b_{0,k}& \mathrm{.Math.}& b_{0,n-1}\\ 0& 1& \mathrm{.Math.}& 0& b_{1,k}& \mathrm{.Math.}& b_{1,n-1}\\ & & & & \mathrm{.Math.}& & \mathrm{.Math.}\\ 0& 0& \mathrm{.Math.}& 1& b_{k-1,k}& \mathrm{.Math.}& b_{k-1,n-1}\end{array}\right)& \left(8\right)\end{array}$

For the ith row b.sub.i of E(G), assume the associated polynomial is .sub.b.sub.i. Since the only non-zero elements are b.sub.i,i, b.sub.i,k+1, . . . , b.sub.i,n1, we have

[00017]$\begin{array}{cc}{v}_0.Math.f_{b_i}\left({}_0\right)=0.Math..Math.\mathrm{.Math.}.Math..Math.v_i.Math.f_{b_i}\left({}_i\right)=1.Math..Math.\mathrm{.Math.}.Math..Math.v_{n-1}.Math.f_{b_i}\left({}_{n-1}\right)=b_{i,n-1}& \left(9\right)\end{array}$

Thus .sub.b.sub.i can be written as

[00018]$\begin{array}{cc}{f}_{b_i}=c_{b_i}.Math.\underset{j=1,ji}{\overset{k}{.Math.}}.Math.\left(y-{}_j\right)& \left(10\right)\end{array}$

for some c.sub.b.sub.i0. By the fact that

GRS.sub.k(,)=GRS.sub.k(a+b,c)(11)

for all a, b, cGF(q) with ab0, we may assume that .sub.0=0 and .sub.1=1. In the following, we try to recover .sub.2, . . . , .sub.n1. Using equation (10), one can divide the row entries in (8) by the corresponding nonzero entries in another row to get several equations. For example, if we divide entries in row i.sub.0 by corresponding nonzero entries in row i.sub.1, we get

[00019]$\begin{array}{cc}\frac{b_{i_0,j}}{b_{i_1,j}}=\frac{v_j.Math.f_{b_{i_0}}\left({}_j\right)}{v_j.Math.f_{b_{i_1}}\left({}_j\right)}=\frac{c_{b_{i_0}}\left({}_j-{}_{i_1}\right)}{c_{b_{i_1}}\left({}_j-{}_{i_0}\right)}& \left(12\right)\end{array}$

for j=k, . . . , n1. First, by taking i.sub.0=0 and i.sub.1=1, equation (12) could be used to recover .sub.k, . . . , .sub.n1 by guessing the value of

[00020]$\frac{c_{b_0}}{c_{b_1}}$

which is possible when q is small. By letting i.sub.0=0 and i.sub.1=2, . . . , k1 respectively, equation (12) could be used to recover .sub.i.sub.1. Sidelnikov and Shestakov (1992) also showed that the values of can then be recovered by solving some linear equation systems based on .sub.0, . . . , .sub.n1. Wieschebrink (2006) revised Niederreiter's scheme by inserting random column vectors into random positions of G before obtaining the public key G. Couvreur et al (2013) showed that Wieschebrink's revised scheme is insecure under the product code attacks.

[0077] Berger and Loidreau (2005) recommend the use of sub codes of Niederreiter's scheme to avoid Sidelnikov and Shestakov's attack. Specifically, in Berger and Loidreau's scheme, one uses a random (kl)k matrix S of rank kl instead of the kk matrix S to compute the public key G=SG.

[0078] For smaller values of l, Wieschebrink (2010) shows that a private key (, ) for Berger and Loidreau scheme (2005) could be recovered using Sidelnikov-Shestakov algorithm. For larger values of l, Wieschebrink used product code to recover the secret values for Berger-Loidreau scheme. Let G=SG be the (kl)n public generator matrix for Berger-Loidreau scheme, r.sub.0, . . . , r.sub.kl1 be the rows of G, and .sub.0, . . . , .sub.kl1 be the associated polynomials to those rows. For two row vector a, bGF(q).sup.n, the component wise product a*bGF(q)n is defined as

a*b=(a.sub.0b.sub.0, . . . ,a.sub.n1b.sub.n1)(13)

By the definition in (13), it is straightforward to observe that

r.sub.i*r.sub.j=(.sub.0.sup.2.sub.i(.sub.0).sub.j(.sub.0), . . . ,.sub.n1.sup.2.sub.i(.sub.n1).sub.j(.sub.n1)).(14)

For 2k1n2, if the code generated by r.sub.i*r.sub.j equals to GRS.sub.2k1(,) for =(.sub.0.sup.2, . . . , .sub.n1.sup.2) then the Sidelnikov-Shestakov algorithm could be used to recover the values and . For 2k1n2, if the code generated by r.sub.i*r.sub.j does not equal to GRS.sub.2k1(n,), then the attack fails. Wieschebrink shows that the probability that the attack fails is very small. For the case of 2k1>n2, Wieschebrink applied Sidelnikov-Shestakov algorithm on the component wise product code of a shortened code of the original GRS.sub.k(,).

[0079] The crucial step in Sidelnikov and Shestakov attack is to use the echelon form E(G)=[I|G] of the public key to get minimum weight codewords that are co-related to each other supports. In the encryption scheme RLCE, each column of the public key G contains mixed randomness. Thus the echelon form E(G)=[I|G] obtained from the public key G could not be used to build any useful equation system. In other words, it is expected that Sidelnikov and Shestakov attack does not work against the RLCE scheme.

[0080] Filtration attacks: Using distinguisher techniques, Couvreur et al. (2013) designed a filtration technique to attack GRS code based McEliece scheme. The filtration technique was further developed by Couvreur et al (2014) to attack wild Goppa code based McEliece scheme. In the following, we briefly review the filtration attack. For two codes C.sub.1 and C.sub.2 of length n, the star product code C.sub.1*C.sub.2 is the vector space spanned by a*b for all pairs (a, b)C.sub.1C.sub.2 where a*b is defined in (13). For C.sub.1=C.sub.2, C.sub.1*C.sub.1 is called the square code of C.sub.1. It is showed in Couvreur et al (2014) that

[00021]$\begin{array}{cc}{\mathrm{dimC}}_1{C}_2\left\{n,{\mathrm{dimC}}_1.Math.{\mathrm{dimC}}_2-\left(\begin{array}{c}\dim (C_1.Math.C_1\\ 2\end{array}\right)\right\}.& \left(15\right)\end{array}$

Furthermore, the equality in (15) is attained for most randomly selected codes C.sub.1 and C.sub.2 of a given length and dimension. Note that for C=C.sub.1=C.sub.2 and dim C=k, the equation (15) becomes

[00022]${\mathrm{dimC}}^{*2}\min .Math.\left\{n,\left(\begin{array}{c}k+1\\ 2\end{array}\right)\right\}.$

[0081] Couvreur et al (2014) showed that the square code of an alternant code of extension degree 2 may have an unusually low dimension when its dimension is larger than its designed rate. Specifically, this happens for wild Goppa codes over quadratic extensions. Using a shortening trick, Couvreur et al showed that the square of a shortened wild Goppa code of extension degree 2 is contained in an alternant code of non trivial dimension. Based on those observations, Couvreur et al designed the code filtration techniques. Specifically, create a family of nested codes defined for any a E {0, . . . , n1} as follows.

C.sup.(0)C.sup.(1). . . C.sup.(q+1)(16)

This family of nested codes is called a filtration. Roughly speaking, C.sup.(j) consists in the codewords of C which correspond to polynomials which have a zero of order j at position a. It is shown that the first two elements of this filtration are just punctured and shortened versions of C and the rest of them can be computed from C by computing star products and solving linear systems. Furthermore, the support values .sub.0, . . . , .sub.n1 for the Goppa code could be recovered by this nested family of codes efficiently. Thus the private keys for wild Goppa code based McEliece scheme could be recovered from the public keys.

[0082] The crucial part of the filtration techniques is the efficient algorithm to compute the nested family of codes in (16). For our RLCE scheme, the public generator matrix G contains random columns. Thus linear equations constructed in Couvreur et al (2014) could not be solved and the nested family (16) could not be computed correctly. Furthermore, the important characteristics for a code C to be vulnerable is that one can find a related code C.sub.1 of dimension k such that the dimension of the square code of C.sub.1 has dimension significantly less than min

[00023]$\left\{n,\left(\begin{array}{c}k+1\\ 2\end{array}\right)\right\}.$

[0083] To get experimental evidence that RLCE codes share similarity with random linear codes with respect to the above mentioned filtration attacks, we carried out several experiments using Shoup's NTL library. In the experiments, we used Reed-Solomon codes over GF(2.sup.10). The RLCE parameters are chosen as the 80-bit security parameter n=560, k=380, t=90, and r=1. For each given 380560 generator matrix G.sub.s of Reed-Solomon code, we selected another random 380560 matrix CGF(2.sup.10).sup.380560 and selected 22 matrices A.sub.0, . . . , A.sub.559. Each column c.sub.i in C is inserted in G.sub.s after the column g.sub.i. The extended generator matrix is multiplied by A=diag[A.sub.0, . . . , A.sub.559] from the right hand side to obtain the public key matrix GGF(2.sup.10).sup.3801120. For each i=0, . . . , 1119, the matrix G.sub.i is used to compute the product code, where G.sub.i is obtained from G by deleting the ith column vector. In our experiments, all of these product codes have dimension 1119. We repeated the above experiments 100 times for 100 distinct Reed-Solomon generator matrices and the results remained the same. Since min

[00024]$\left\{1119,\left(\begin{array}{c}381\\ 2\end{array}\right)\right\}=1119,$

the experimental results meet our expectation that RLCE behaves like a random linear code. We did the same experiments for the dual code of the above code. That is, for a 180560 generator matrix G.sub.s of the dual code, the same procedure has been taken. In this time, after deleting one column from the resulting public key matrix, the product code always had dimension 1119 which is the expected dimension for a random linear code.

[0084] Algebraic attacks: Faugere, Otmani, Perret, and Tillich (2010) developed an algebraic attack against quasi-cyclic and dyadic structure based compact variants of McEliece encryption scheme. In a high level, the algebraic attack tries to find *, y*GF(q).sup.n such that V.sub.t (*,y*) is the parity check matrix for the underlying alternant codes of the compact variants of McEliece encryption scheme. V.sub.t (*,y*) can then be used to break the McEliece scheme. Note that this V.sub.t(*, y*) is generally different from the original parity check matrix V.sub.t(, y) in (1). The parity check matrix V.sub.t(*, y*) was obtained by solving an equation system constructed from

V.sub.t(*,y*)G.sup.T=0,(17)

where G is the public key. Faugere, Otmani, Perret, and Tillich (2010) employed the special properties of quasi-cyclic and dyadic structures (which provide additional linear equations) to rewrite the equation system obtained from (17) and then calculate V.sub.t(*, y*) efficiently.

[0085] Faugere, Gauthier-Umana, Otmani, Perret, and Tillich (2011) used the algebraic attack to design an efficient Goppa code distinguisher to distinguish a random matrix from the matrix of a Goppa code whose rate is close to 1. For instance, it was showed that the binary Goppa code obtained with m=13 and r=19 corresponding to a 90-bit security key is distinguishable.

[0086] It is challenging to mount the above mentioned algebraic attacks on the RLCE encryption scheme. Assume that the RLCE scheme is based on a Reed-Solomon code. Let G be the public key and (S, G.sub.s, A, P) be the private key. The parity check matrix for a Reed-Solomon code is in the format of

[00025]$\begin{array}{cc}{V}_t\left(\right)=\left[\begin{array}{ccccc}1& & {}^2& \mathrm{.Math.}& {}^{n-1}\\ 1& {}^2& {}^4& \mathrm{.Math.}& {}^{2.Math.\left(n-1\right)}\\ \mathrm{.Math.}& \mathrm{.Math.}& \mathrm{.Math.}& & \mathrm{.Math.}\\ 1& {}^{t+1}& {}^{2.Math.\left(t+1\right)}& \mathrm{.Math.}& {}^{\left(t+1\right).Math.\left(n-1\right)}\end{array}\right].& \left(18\right)\end{array}$

The algebraic attack requires one to obtain a parity check matrix V.sub.t(*) for the underlying Reed-Solomon code from the public key G, where * may be different from . Assume that V.sub.t(*)=[.sub.0, . . . , .sub.n1]GF(q).sup.(t+1)n is a parity check matrix for the underlying Reed-Solomon code. Let V.sub.t(*)GF(q).sup.(t+1)n(r+1) be a (t+1)n(r+1) matrix obtained from V.sub.t(*) by inserting r column vectors 0 after each column of V.sub.t(*). That is,

V.sub.t(*)=[.sub.0,0,.sub.1,0, . . . ,.sub.n1,0].(19)

Then we have

[00026]$\begin{array}{cc}\begin{array}{c}{V}_t^{}\left({}^{*}\right).Math.G_1^T=.Math.{V_t^{}\left({}^{*}\right)\left[g_0,C_0,\mathrm{.Math.}.Math.,g_{n-1},C_{n-1}\right]}^T\\ =.Math.{V_t\left({}^{*}\right)\left[g_0,\mathrm{.Math.}.Math.,g_{n-1}\right]}^T\\ =.Math.V_t\left({}^{*}\right).Math.G_s^T\\ =.Math.0.\end{array}& \left(20\right)\end{array}$

[0087] We cannot build an equation system for the unknown V.sub.t(*) from the public key G=SG.sub.1AP directly since the identity (20) only shows the relationship between V.sub.t(*) and G.sub.1. In other words, in order to build an equation system for V.sub.t(*), one also needs to use unknown variables for the non-singular matrix A and the permutation matrix P. That is, we have

V.sub.t(*)(A.sup.1).sup.T(P.sup.1).sup.TG.sup.T=V.sub.t(*)(GP.sup.1A.sup.1).sup.T=V.sub.t(*)G.sub.1.sup.TS.sup.T=0.(21)

with an unknown *, an unknown permutation matrix P, and an unknown matrix A=diag[A.sub.0, . . . , A.sub.n1] which consists of n dense nonsingular (r+1)(r+1) matrices A.sub.iGF(q).sup.(r+1)(r+1) as defined in (3). In order to find a solution *, one first needs to take a potential permutation matrix P.sup.1 to reorganize columns of the public key G. Then, using the identity V.sub.t(*)(A.sup.1).sup.T(P.sup.1).sup.TG.sup.T=0, one can build a degree (t+1)(n1)+1 equation system of k(t+1) equations in n(r+1).sup.2+1 unknowns. In case that k(t+1)n(r+1).sup.2+1, one may use Buchberger's Grbner basis algorithms to find a solution *. However, this kind of algebraic attacks are infeasible due to the following two challenges. First the number of permutation matrices P is too large to be handled practically. Secondly, even if one can manage to handle the large number of permutation matrices P, the Grbner basis (or the improved variants such as F.sub.4 or F.sub.5) are impractical for such kind of equation systems.

[0088] The Grbner basis algorithm eliminates top order monomial (in a given order such as lexicographic order) by combining two equations with appropriate coefficients. This process continues until one obtains a univariate polynomial equation. The resulting univariate polynomial equation normally has a very high degree and Buchberger's algorithm runs in exponential time on average (the worst case complexity is double exponential time). Thus Buchberger's algorithm cannot solve nonlinear multivariate equation systems with more than 20 variables in practice. But it should also be noted that though the worst-case Grbner basis algorithm is double exponential, the generic behavior is generally much better. In particular, if the algebraic system has only a finite number of common zeros at infinity, then Grobner basis algorithm for any ordering stops in a polynomial time in d.sup.n where d=max{d.sub.i: d.sub.i is the total degree of .sub.i} and n is the number of variables.

[0089] Encoding messages within the error vector: In order to increase the RLCE encryption scheme bandwith, one may use the process in FIG. 3 to include a partial message or an authentication tag within the error vector. Referring therefore to FIG. 3, for given public parameters n,k,d,t,r,GF(q), a public key G, and a row message vector m in the box 400, let H be a message authentication code algorithm. The message encryption engine 410 computes e=H(m) as the message authentication tag and generates the error vector e using the authentication tag e. Finally, the message encryption engine 410 encrypts the message m using the error vector e. At the receiving side 430, the receiver decrypts the message m from the ciphertext and recovers the message authentication tag e from the error vector e. The receiver accepts the decrypted message m only if e=H(m). Alternatively, the message encryption engine 420 divides the message m into two parts m.sub.1GF(q).sup.k and m.sub.2 (of certain given length). The message encryption engine 420 generates the error vector e using the message m.sub.2. Finally, the message encryption engine 420 encrypts the message m.sub.1 using the error vector e. At the receiving side 430, the receiver decrypts the message m.sub.1 from the ciphertext and recovers the message m.sub.2 from the error vector e.

[0090] Practical Considerations: In order to reduce the message expansion ratio which is defined as the rate of ciphertext size and corresponding plaintext size, it is preferred to use a smaller r for the RLCE encryption scheme. Indeed, the experimental results show that r=1 is sufficient for RLCE to behave like a random linear code. As mentioned in the introduction section, the most powerful message recovery attack (not private key recovery attack) on McEliece encryption schemes is the information-set decoding attack. For the RLCE encryption scheme, the information-set decoding attack is based on the number of columns in the public key G instead of the number of columns in the private key G.sub.s. For the same error weight t, the probability to find error-free coordinates in (r+1)n coordinates is different from the probability to find error-free coordinates in n coordinates. Specifically, the cost of information-set decoding attacks on an [n,k,t;r]-RLCE scheme is equivalent to the cost of information-set decoding attacks on a standard [(r+1)n,k;t]-McEliece scheme.

[0091] Taking into account of the cost of recovering McEliece encryption scheme secret keys from the public keys and the cost of recovering McEliece encryption scheme plaintext messages from ciphertexts using the information-set decoding methods, we generated a recommended list of parameters for RLCE scheme in Table 1. For the recommended parameters, the default underlying linear code is taken as the Reed-Solomon code over GF(q) and the value of r is taken as 1. For the purpose of comparison, we also list the recommended parameters for the binary Goppa code based McEliece encryption scheme. It is recommended to use semantic secure message coding approach so that one can store the public key as a systematic generator matrix. For the binary Goppa code based McEliece encryption scheme, the systematic generator matrix public key is k(nk) bits. For RLCE encryption scheme over GF(q), the systematic generator matrix public key is k(n(r+1)k) log q bits. It is observed that RLCE scheme generally has larger but acceptable public key size. Specifically, for the same security level, the public key size for the RLCE scheme is approximately four to five times larger than the public key size for binary Goppa code based McEliece encryption scheme. For example, for the security level of 80 bits, the binary Goppa code based McEliece encryption scheme has a public key of size 56.2 KB, and the RLCE-MDS scheme has a public key of size 267556.2 KB.

TABLE-US-00001 TABLE 1 Parameters for RLCE: n, k, t, q, key size (r = 1 for all parameters), where 360, 200, 80, 101 KB under column RLCE-MDS code represents n = 360, k = 200, t = 80. Security RLCE-MDS code binary Goppa code 60 360, 200, 80, 101 KB 1024, 524, 50, 19.8 KB 80 560, 380, 90, 267 KB 1632, 1269, 34, 56.2 KB 128 1020, 660, 180, 0.98 MB 2960, 2288, 57, 187.7 KB 192 1560, 954, 203, 2.46 MB 4624, 3468, 97, 489.4 KB 256 2184, 1260, 412, 4.88 MB 6624, 5129, 117, 0.9 MB

REFERENCE CITED

[0092] Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Jakob Rosenthal, and Davide Mose' Schipani. Method and apparatus for public-key cryptography based on error correcting codes. U.S. Pat. No. 9,191,199 B2 (2015) [0093] Martin Tomlinson, Cen Jung Tjhai. Public key cryptosystem based on goppa codes and puf based random generation. U.S. Pat. No. 8,958,553 B2 (2015) [0094] Martin Tomlinson and Cen Jung Tjhai. Public key encryption using error correcting codes. WO2012066328 A1 (2012) [0095] Eran Kanter, Ido Kanter. A secure and linear public-key cryptosystem based on parity-check error-correcting code. WO2001050675 A2 (2001). [0096] Yongge Wang. Method and Apparatus for Random Linear Code Based Public Key Encryption Schemes. US Patent application U.S. 62/240,182, filed on Oct. 12, 2015. [0097] Yongge Wang. Quantum Resistant Random Linear Code Based Public Key Encryption Scheme RLCE. Proc. ISIT 2016. IEEE Press, 2016.