number of unsuitable Boolean functions in n variables for the combiner generator with LFSRs of lengths ni,..., nm all based on primitive polynomials is equal to
22nl+n2+ +nm — (2nl -1)(2n2 — 1)...(2nm-1) Y^ ( —Pi
1-в1 Pas-es
...ps
where p = (&,...,&).
3. Functions for models with nonlinear registers
A nonlinear feedback shift register (NFSR) consists of two parts: a binary vector x = = (xn-1,...x0) of length n and a nonlinear state function f : (xn-1 ,...,x0) ^ {0,1} in n variables.
Similarly to the linear case, consider the filter generator. We assume that NFSR passes over all 2n states, i.e., it has maximal possible period.
Theorem 3. Let n be an integer. Then the number of unsuitable Boolean functions in n variables for the filter generator with NFSR of the maximal possible period is equal to 22n-1.
There is an another question related to NFSRs: how to determine for which nonlinear feedback functions NFSR of length n has the maximal possible period 2n? This question is hard and still open.
We kindly thank the reviewer for careful reading of our paper and significant remarks.
REFERENCES
1. Key E. An analysis of the structure and complexity of nonlinear binary sequence generators. IEEE Trans. Inform Theory, 1976, no. 22, pp. 732-736.
2. Gluhov M. M, Elizarov V.P., Nechaev A. A. Algebra [Algebra]. Moscow, Gelios ARV Publ., 2003. (in Russian)
3. Roman'kov V.A. Vvedenie v kriptografiyu [Introduction to Cryptography]. Moscow, Forum Publ., 2012. (in Russian)
4. Tokareva N. N. Simmetrichnaya kriptografiya. Kratkiy kurs [Symmetric Cryptography. A Short Course]. Novosibirsk, NSU Publ., 2012.
5. Carlet C. Boolean functions for cryptography and error-correcting codes. Eds. P. Hammer and Y. Crama. Boolean Models and Methods in Mathematics, Computer Science, and Engineering. Cambridge, Cambridge Univ. Press, 2010. Ch.8, pp. 257-397. www.math.univ-paris13.fr/ ~carlet/.
6. HellM., Johansson T., and Meier W. A stream cipher for constrained environments. Int. J. Wireless Mobile Comput., 2007, vol.2, no. 1, pp.86-93.
7. Kumar N., Ojha S., Jain K., and Lal S. BEAN: A lightweight stream cipher. Proc. 2nd Intern. Conf. SIN'2009, ACM, 2009, pp. 168-171.
UDC 621.391.7 DOI 10.17223/2226308X/13/24
EFFICIENT S-REPETITION METHOD FOR CONSTRUCTING AN IND-CCA2 SECURE MCELIECE MODIFICATION IN THE STANDARD MODEL
Y. V. Kosolapov, O.Y. Turchenko
The paper is devoted to the construction of IND-CCA2-secure modification of the McEliece cryptosystem in the standard model. The modification uses S-repetition
encryption of S/2 various messages with one common secret permutation, in contrast to other modifications that use S-repetition encryption of one message. Thus, this modification provides IND-CCA2-security with an efficient information transfer rate.
Ключевые слова: post-quantum cryptography, McEliece-type cryptosystem, IND-CCA2-security, S-repetition encryption.
1. Introduction
Currently, much effort is being devoted to the development of quantum computers. Therefore, the study of post-quantum cryptosystems is an important task. One suitable scheme in the post-quantum era is the McEliece cryptosystem [1]. Note that the McEliece cryptosystem does not use quantum mechanical properties. However, the original McEliece scheme is vulnerable to attacks on cyphertexts. To date, many approaches have been developed to modify the McEliece cryptosystem. One of the most successful approaches is based on the application of correlated products [2]. For instance, in [3, 4] authors presented IND-CCA2-secure modifications in the standard model. At the same time, the main idea of correlated products is not effective in practice, because it requires to transmit S encrypted blocks for one information message. Based on the ideas from [3], we offer a new IND-CCA2-secure modification of the McEliece cryptosystem in the standard model, which requires to transmit S encrypted blocks for S/2 information messages.
2. Preliminaries
Let n, t be natural, 2t < n, [n] = {1,... , n}, в С [n], 2[n] is set of all subsets of [n], F2 be a Galois field of cardinality 2. The support of the vector m = (mi,... ,mn) E F^ is the set supp(m) = {i : m^ = 0} and the Hamming weight of this vector is a number wt(m) = |supp(m)|. A function y : N ^ [0,1] is negligible of k, if
Vc e N 3kc e N Vk > kc (y(k) ^ k-c).
We will use the notations similarly to the [3]. If S is a finite set, then s ER S denotes the operation of picking an element at random and uniformly from S. Denote by En,t,e the subset of Fn such that any vector e = (e1,..., en) E En,t,e has Hamming weight t and e^ = 0 for any i E в. We will write En,t when в = 0. Let us define a cryptosystem as triplet of algorithms, i.e. £ = (K, E, D), where:
1) K is a probabilistic polynomial-time key generation algorithm which takes as input a security parameter N E N and outputs a pair of public-key and a secret-key (pk, sk);
2) E is probabilistic polynomial-time encryption algorithm which takes as input a public-key pk and a message m and outputs a ciphertext c; we will write {m}pfc as encryption of the message m with the key pk;
3) D is deterministic polynomial-time decryption algorithm which takes as input a secret-key sk and a ciphertext c and outputs either a message m or a symbol ± in the case, when the ciphertext is incorrect; decryption of the ciphertext c on the secret key sk we will denote {c}^fc.
Let us define signature scheme (SS) and one-time strongly unforgeable feature in the same way as [3]. A signature scheme is triplet of algorithms SS = (Kss, Sign, Check), where K is key generation algorithm which takes as input a security parameter N E N and outputs a signing-key dsk and a verification-key vk, Sign is signing algorithm which takes as input a signing-key dsk and a message m and outputs a signature a, Check is checking algorithm which takes as input a verification-key vk a message m and a signature a and outputs 1 if
a is valid for m and 0 otherwise. It is important to note, that one-time strongly unforgeable signature scheme can be constructed using one-way functions (see [5, 6]).
Consider the McEliece cryptosystem as a triplet of polynomial-time algorithms: McE = = (KmcE, EmcE, Dmce) on the linear [n, k,d]-code C C F^, where n is the length, k is the code dimension, and d is the minimum code distance. Let G be the generator matrix of the code C, t = |_(d — 1)/2J. A secret key sk is a pair (S,P), where S is a non-singular (k x k)-matrix over the field F2 and P is a permutation (n x n)-matrix. A public key pk is a pair (G = SGP,t). Encryption of a message m e F2 is performed according to the rule
{m)MfccE = mG + e = c, e Gr Sn,t.
To decrypt the ciphertext c, one should use an effective decoder DecC : Fn ^ F^ of the code C and the secret key sk:
{c}MfccE = Decc (cP-1)S-1.
3. Efficient S-repetition construction
On the basis of the Randomized McEliece cryptosystem [7] we construct a new cryptosystem bMcEi = (KbMcEl, EbMcEl, DbMcEl) and call it the basic cryptosystem. For the vector m(e F^) and the ordered set u = {u1,...,u¡} C [k], where u1 < ... < ui,
we consider the projection operator n : F^ ^ F^1 acting according to the rule: nw (m) = (mwi,... ,m,i ). For u consider a subset G(u) of permutations group Sk acting on the elements of the set [k]:
G(u) = {n G Sk : n(1) = U1,... , n(l) = ui}.
With every permutation n from G(u) we associate a permutation (k x k)-matrix Rn. The encryption rule of basic McEliece bMcEi has the form
{m}pbMf1 = {(m || n)Rn}pMkCE II {(m || r2)Rn}JkcE = c1 || c2 = c,
where m e F^, u CR [k], |u| = l, r1 gr Fk-i, r2 is formed in accordance with the restriction supp(r1 — r2) = [k]\u, n Gr G(u). The error vectors e1 and e2, generated in McE-encryption, are chosen such that e1 gr En,t, e2 gr En)t)Supp(ei). From here, it follows that
wt(e1) + wt(e2) = 2t.
To decrypt the ciphertext c, one should calculate
{c}bMcEl = nn({c1}MkcE), n = [k] \ supp({c1}MkcE — {c2}MkcE). (1)
Using the one-time strongly unforgeable signature scheme SS = (Kss, Sign, Check) we will construct a new S-repetition McEliece cryptosystem as a triplet of polynomial-time algorithms: bMcEf = (KbMcE^, EbMcE^, DbMcE^). Key generation algorithm KbMcE^ takes as input a security parameter N e N and outputs a public-key pk and a secret key sk of the form
pk = ((pk°,pk1))S=1, sk = ((sk°,sk1))S=1, where pkb, skb ^ Kmce(N), b G {0,1}, i e [s].
To define encryption algorithm, let us consider a message m = (mi || ... || ms) where m, G F^. Encryption algorithm EbMcEs takes as input a public-key pk and a message m and outputs a ciphertext c:
c = {mWk 1 = c' || vk || a,
where (dsk, vk) ^ Kss(N ), vk = (vki,... ,vks), a = Sign(dsk, c'), pkvk = (pkSkl,..., rpkvsks), and c' calculated as follows:
c' = cl II ... II cS =[c'1>1 II c'1>2] II ... II [c's>1 II c'J,
where cj = [cj 1 I c'7-2] = {m, }bMVkEi for j G [s] and u is chosen randomly once for all
J J' J' pkj j
j = l,...,s.
Decryption algorithm DbMcEs takes as input a secret-key sk and a ciphertext c and outputs either a message m G F^ or a error symbol On the first step, DbMcE^ checks signature of the message. If Check(c', vk,a) = 0, then DbMcE^ outputs otherwise it computes m as follows. For each ci from c' = c^ I ... I c's it finds m, = {c,}^^1 and n according to (1) and outputs
m1 II ... II ms, if n1 = ... = n
m
_L, otherwise.
s 1
Let McE be the McEliece cryptosystem with security parameter N. The security of McE is based on two following standard assumptions.
Assumption 1. There is no polynomial algorithm capable of distinguishing the (k x n)-matrix of the public key of the McE cryptosystem from a random (k x n)-matrix with non-negligible probability in N.
Assumption 2. There is no polynomial algorithm that solves the problem of decoding a general linear code.
According to [8], the problem of decoding a general linear code is NP-hard. Since P = NP has not been proved, we formulate this only as an assumption.
Note that, if these assumptions hold, then one can say that McE is one way trapdoor function (or OW-CPA secure) [9]. The hardness of most McE-type cryptosystems is based on the above assumptions (for example, [3, 4, 7]). To formulate the following theorem we should introduce auxiliary assumption.
Assumption 3. There is no polynomial algorithm that takes as input ciphertext c of the McE and the number l G N, and outputs 0 if c corresponds to an information message of a weight less than l and outputs 1 if c corresponds to an information message of weight l with non-negligible distinguishing advantage in the N.
Theorem 1. Let SS be one-time strongly unforgeable signature scheme. Then bMcEf with security parameter N and fixed s is IND-CCA2 secure if assumptions 1-3 hold.
REFERENCES
1. McEliece R. J. A public-key cryptosystem based on algebraic coding theory // DSN Progress
Report. 1978. P. 42-44.
2. Rosen A. and Segev G. Chosen-ciphertext security via correlated products // LNCS. 2009.
V. 5444. P. 419-436.
3. Düttling N., Dowsley R., Quade J. M., and Nascimento A. C. A. A CCA2 secure variant of the McEliece cryptosystem // IEEE Trans. Inform. Theory. 2012. V. 58(10). P. 6672-6680.
4. Persichetti E. On a CCA2-secure variant of McEliece in the standard model // Provable Security. 2018. V. 11192. P. 165-181.
5. Lamport L. Constructing Digital Signatures from One-Way Functions. SRI International, 1979. https://www.microsoft.com/en-us/research/publication/constructing-digital-signatures-one-way-function/
6. Naor M. and Yung M. Universal One-Way Hash Functions and their Cryptographic Applications // Proc. STOC'89. N.Y.: ACM, 1989. P. 33-43.
7. Nojima R., Imai H., Kobara K., et al. Semantic security for the McEliece cryptosystem without random oracles // Designs, Codes and Cryptography. 2008. V. 49. P. 289-305.
8. Berlekamp E. R., McEliece R. J., and van Tilborg H. C. On the inherent intractability of certain coding problems // IEEE Trans. Inform. Theory. 1978. V.24. No.3. P. 384-386.
9. Kobara K. and Imai H. On the one-wayness against chosen-plaintext attacks of the Loidreau's modified McEliece PKC // IEEE Trans. Inform. Theory. 2003. V.49. No. 12. P. 3160-3168.