1. Introduction
Public-key cryptosystems or asymmetric cryptosystems have been a subject of study since 1976. These systems consider two different keys, which are called public-key and private-key. These keys are not completely independent of each other. There must be a mathematical relationship as factoring, discrete logarithm, etc. [
1,
2]. The public-key cryptosystem was first introduced in 1976 by Diffie and Hellman [
3]. Rivest, Shamir and Adleman’s paper, known as the RSA cryptosystem [
4], also present a public-key cryptosystem. The RSA cryptosystem was based on the factorization integers [
5]. Merkle and Hellman [
6] suggested a cryptosystem based on the difficulty of the integer packing “knapsack” problem.
The first public-key cryptosystem based on the error-correcting codes was presented by R. J. McEliece in 1978 [
7]. He has employed error correcting codes, in particular binary Goppa codes, with a known decoding algorithm to construct the system. The generator matrix
G plays an important role. The most important property of McEliece’s cryptosystem is its large key size. Niederreiter suggested another code-based public-key cryptosystem that is based on the syndrome decoding of linear codes [
8]. This system is used for the parity-check matrix
H of a linear code. Thus, it is also the dual version of McEliece’s cryptosystem. If it is used with exactly the same parameters [
9], McEliece’s cryptosystem and Niederreiter’s cryptosystem offer an equivalent security. Li et al. [
10] proposed new classes of trapdoor functions to solve the bounded distance decoding problem in lattices. Moreover, a lot of cryptosystems have been presented by using linear codes after McEliece’s and Niederreiter’s schemes. The use of subcodes of generalized Reed–Solomon codes was introduced by Berger and Loidreau [
11]. Berlekamp et al. [
12] studied the complexity of the decoding of arbitrary linear codes. Krouk [
13] proposed a different class of public-key cryptosystems. Sidelnikov [
14] introduced the use of Reed–Muller codes for cryptosystems. Berger et al. [
15] and Misoczki-Barreto [
16] proposed using quasi-cyclic and quasi-dyadic codes to shorten the McEliece key. The original parameters of the McEliece cryptosystem have been broken [
17], but the general system is still considered safe.
In this study, we propose a public-key cryptosystem based on the error-correcting codes using a known bounded distance decoding method. We present the encryption and decryption algorithms by inspiring both McEliece’s and Niederreiter’s cryptosystems.
McEliece’s system has been constructed based on linear codes over .
Both Niederreiter’s and our system have been constructed based on linear codes over .
However, in our cryptosystem, since it is easier to generate the pieces of keys, the encryption, decryption, and key generation are more effective than Niederreiter’s cryptosystem.
Another difference of our system from Niederreiter’s is the use of the bounded distance decoding method, which corrects errors and guarantees unique decoding.
It is impossible to find the private-key with public-key by an attacker in our public-key cryptosystem.
Similarly, even if an enemy knows the public-key and ciphertext, he/she cannot calculate the plaintext.
These conditions ensure the new system is safe. Moreover, we consider some possible attacks in this paper. So, we analyze its security and performance, and we calculate some important parameters for our cryptosystem. When we compared it with McEliece’s and Niederreiter’s cryptosystems, we can say that our system performs better as regards encryption speed.
The rest of the paper is organized as follows. The next section gives the necessary background on coding theory and cryptography.
Section 3 introduces the new public-key cryptosystem.
Section 4 analyzes its security and examines some possible attacks.
Section 5 compares it to the other code-based public-key cryptosystems.
Section 6 concludes the paper.
2. Preliminaries
In this section, we remind of some important topics [
18,
19] that are necessary for the paper.
2.1. Linear Codes
Definition 1 (Linear Code). A linear code C of length n and dimension k is a subspace of , where is the finite field with q elements, q is a prime power, and k and n are positive integers such that . It is denoted by an -code. The error-correcting capacity of C is the maximum number t of errors that C can skillfully decode. All vectors of that are orthogonal to every codeword of C consist of the dual code which is an -code.
Definition 2 (Hamming Weight). The Hamming weight of a vector x in is the number of non-zero entries of x.
Definition 3 (Generator Matrix). A generator matrix G of C is the rows that are a basis of C. G is also a matrix.
Definition 4 (Parity-Check Matrix). A parity-check matrix H for a linear code C is an matrix which is a generator matrix for its dual code .
2.2. Coset Decoding
Definition 5. Let C be an -code over and u be any vector in . The coset of C is defined as follows. Theorem 1 (Lagrange). Suppose C is an -code over . Then,
- (i)
Every vector of is in some coset of C;
- (ii)
Every coset contains exactly vectors;
- (iii)
Two cosets either are disjointed or coincided;
- (iv)
C contains exactly cosets.
Definition 6 (Coset Leader). The coset leader is the vector having a minimum weight in a coset. If a coset contains more than one vector which has the minimum weight, then it is chosen at random as the coset leader.
Definition 7 (Syndrome Decoding)
. Consider H is a parity-check matrix of an -code C. In this case, is called the syndrome of y, where y is any vector of , the row vector. Moreover, Lemma 1. Two vectors u and v are in the same coset of C if and only if they have the same syndrome.
Corollary 1. There is a one-to-one correspondence between cosets and syndromes.
2.3. Public-Key Cryptosystems
A cryptosystem is an application of cryptographic methods and ensures the information security services. The cryptosystems can be examined under two titles as the public-key and private-key. Each person has a pair of keys; one is the public-key, and the other is the private-key. The public-key is accessible to the other users; however, the private-key should be stored so that only the owner can access it. Any person can send an encrypted message using the public-key, but only the private-key, which is a pair of public-keys, can decrypt the encrypted message. There is always the mathematical relationship between the public-key and private-key in the public-key cryptosystems. The hardness of two mathematical problems, as integer factoring and discrete logarithm, are used to generate these keys. So, it is impossible to obtain the private-key using the public-key.
The Diffie–Hellman cryptosystem [
3] and RSA cryptosystem [
4] are pioneers of public-key cryptosystems. However, McEliece [
7] and Niederreiter [
8] are the first founders of the code-based public-key cryptosystems.
2.4. McEliece’s Public-Key Cryptosystem
McEliece’s public-key cryptosystem is the first system based on the algebraic block codes; it was presented in 1978 [
7]. In order to construct his cryptosystem, it used a binary
Goppa code
C. It is clear that
n is the code length,
k is the code dimension, and
t is the error-correcting capacity of
C. The encryption and decryption algorithms are as follows.
Private-key:; where G is a generator matrix, S is any non-singular matrix, and P is any permutation matrix.
Public-key: and t.
Plaintexts:k bit vectors m over .
Encryption:
where
e is an
n-bit error vector with Hamming weight
t. So,
c is the
n-bit ciphertext.
It is used as the fast decoding algorithm for C to correct the error ; then, it is found and therefore m.
2.5. Niederreiter’s Public-Key Cryptosystem
Niederreiter [
8] proposed a knapsack-type public-key cryptosystem which is based on
linear code
C over
.
Private-key:, and P, where H is an parity-check matrix of C, M is any non-singular matrix, and P is any permutation matrix, all over .
Public-key: and t.
Plaintexts:n-dimensional vectors m over with weight t.
Encryption:, c is the ciphertext of dimension .
It is used as the fast decoding algorithm for C to obtain and m.
3. The System
The construction of our public-key cryptosystem is based on -code over . The syndrome-decoding procedure is used for decryption. The public-key and private-key are constructed by each user as follows.
- (1)
Select a generator matrix G of a linear -code C over , where t is the error-correcting capability.
- (2)
Construct a parity-check matrix H from G for the code C.
- (3)
Select any non-zero syndrom vector h which has weight t and dimension .
- (4)
Select a random non-singular matrix M over .
- (5)
Calculate matrix , where is denoted by the transpose of H.
- (6)
The public-key is .
- (7)
The private-key is .
Encryption:
Message: n dimension vector m over with weight t.
Cryptogram:
Decryption:
- (1)
Calculate ;
- (2)
Obtain m by syndrome decoding in the code C.
Decryption is correct, since
it can be computed
and the procedure of syndrome decoding may be effectively used.
Example 1. Consider an -code C over . The generator matrix G and parity-check matrix H are Select any non-singular matrix
The syndromes and coset leaders of C are as follows.
Syndromes | Coset Leaders |
(00) | (0000) |
(11) | (1000) |
(12) | (0100) |
(10) | (0010) |
(01) | (0001) |
(22) | (2000) |
(21) | (0200) |
(20) | (0020) |
(02) | (0002) |
The size of different cosets of
C is
So, there are also nine syndrome vectors, which are
Calculate the matrix
and
Let
h be the syndrome vector
Since
,
C is the corrected
error. So, the public-key is
and the private-key is
Encryption: Let the message vector be
and
. The cryptogram is
Since
and
is also equal to
We get the message by solving the linear system.
Proposition 1. The size of the plaintext is
Proof. The plaintext is an tuple word of weight t. These are the integers between 1 and to the set of words of weight t and length n. Therefore, the size of the plaintext is □
Proposition 2. The size of the ciphertext is
Proof. Since the ciphertext is a tuple word, the proof is clear. □
Corollary 2. The transmission rate of the new system is Proof. The proportion of the number of information symbols to the number of transmitted symbols gives the transmission rate. So, it is
□
Proposition 3. Given a syndrome vector y of weight w, the number of eligible h’s is
Proof. It is known that the weight of h is t, and h is non-zero. Thus, the number of non-zero vectors of weight t among the vectors of w is □
Example 2. Let C be the extended binary Hamming code of parameters . Its packing radius is 1. We examine some properties of the public-key cryptosystem based on C. The size of the plaintext is The size of the ciphertext is 4. Security Comments
In this section, we examine the security of the new system. We recommend using a linear -code over . The decryption method is based on the bounded distance decoding task. In order to be a secure public-key cryptosystem, the following conditions should be implemented.
The size of the public-key should be fairly small. In our cryptosystem, this size is , which is reasonably small.
The encryption, decryption, and key generation should be effective. It is computationally simple to create the public-key and private-key. Thus, the encryption and decryption algorithms are too efficient.
It should be impossible to reach the plaintext by an attacker.
The system should be resistant to all possible attacks. Now, we discuss these attacks for the new system.
4.1. Algebraic Attack
The security of a public-key cryptosystem depends on the security of the private-key. So, the first attack will be factorization to find the private-keys , and M. If the code parameters are large enough, this attack is impracticable, because it is difficult to recover the factors of . This means the security is ensured with the private-key. The security of the new system is also based on decoding in the code , while is not only non-equivalent to the code H in the cryptosystem, but after multiplying by M from the right, the error-correction capability of public-key is unknown. Furthermore, the vector h is secret. Thus, the best attack may not carry out the complete decoding.
4.2. Generic Attack
The second attack is to reach m from c without using the private-key. The plaintext is an n-q tuple word of weight t. We require an useful algorithm that matchs the integers between 1 and to the set of words of weight t and length n and vice versa, since the plaintext is a n-q tuple word of weight t. In this case, the attacker will try to repeatedly select n bits at random from an -bit ciphertext vector and guess m based on the n selected bits, which is impossible. So, our cryptosystem is strong to all possible attacks. At the same time, the described system presents a general access, which is not for the specific cryptosystem.
Moreover, the probability of no error in the constructing of this system is
Consider the Goppa code, which has the parameters
In the public-key cryptosystem constructing based on this code, the probability of no error is
It is a very small number.
5. Comparison with the Other Public-Key Cryptosystems
In this section, we compare our system with the other code-based cryptosystem for an -code C over , where . We denote by and K, respectively, the size of plaintext, ciphertext, the transmission rate, and the dimension of the public-key.
The new system is a further development of the McEliece and Niederreiter cryptosystems. McEliece’s system is constructed based on binary linear codes, but both Niederreiter’s and our new system are constructed based on linear codes over
. Especially, we use the bounded distance decoding to construct our system. In the new system, as the public-key is smaller than McEliece’s cryptosystem, it is more useful in industry. Moreover, as it is seen in
Table 1, the plaintext is a word of small weight, which is one of the coset leaders, and the number of operations involved during the encryption is less than McEliece’s cryptosystem. Furthermore, it is seen that the public-keys in our system and Niederreiter’s system are equivalent. However, our system is more effective than Niederreiter’s cryptosystem, since it is easier to generate the pieces of keys. This condition increases the security. It is impossible to reach the private-key with public-key by an attacker in the new system. In addition, the plaintext cannot be calculated even if the public-key and ciphertext are known by an enemy cryptanalyst. When the transmission rates of systems are compared, it is noticed that the proposed system has the bigger magnitude. That is, the encryption is faster than the others. So, it is more reliable by means of security.
6. Conclusions
We presented a new public-key cryptosystem based on error-correcting codes in this study. This system refers to the class of cryptosystems based on the bounded distance decoding task. The sizes of the plaintext and ciphertext of the system are calculated. Therefore, the transmission rate is given. The possible attacks are considered. It is determined that the new system stands well when compared with known systems.