CC BY
24
2019 Математические методы криптографии №45
МАТЕМАТИЧЕСКИЕ МЕТОДЫ КРИПТОГРАФИИ
udc 621.391.7 doi 10.17223/20710410/45/4
ON THE CONSTRUCTION OF A SEMANTICALLY SECURE MODIFICATION OF THE MCELIECE CRYPTOSYSTEM
Y. V. Kosolapov, O.Y. Turchenko
Southern Federal University, Rostov-on-Don, Russia
E-mail: itaim@mail.ru
The security of currently used asymmetric cryptosystems is based on the problems of discrete logarithm or discrete factorization. These problems can be effectively solved using Shor's algorithm on quantum computers. An alternative to such cryptosystems can be the McEliece cryptosystem. Its security is based on the problem of decoding a general linear code. In its original form, the McEliece cryptosystem is not semantically secure, from here the problem of constructing a semantically secure cryptosystem of the McEliece type is relevant. In the paper, the goal is to construct a McEliece type cryptosystem that has the IND-CPA property. Further, one can suppose that this system can be used as base cryptosystem for building the McEliece type encryption scheme with the IND-CCA2 property and an efficient information transfer rate.
Keywords: McEliece type cryptosystems, IND-CPA, semantic security, standart model.
Introduction
Many public-key cryptosystems are vulnerable to attacks on ciphertext: chosen plaintext attack, chosen ciphertext attack, malleability attack. The readers are referred to [1] for detailed description of these attacks. Semantically secure cryptosystems are immune to most of these attacks. Semantic security was introduced in [2] and means that the ciphertext does not give the adversary any information about the plaintext with polynomial restrictions on adversary's computing resources. One way to build such cryptosystems is to use probabilistic encryption. For example, M. Bellare and P. Rogaway in [3] proposed the optimal asymmetric encryption padding (OAEP) modification for the widely used asymmetric RSA cryptosystem. It should be noted that the security of currently used asymmetric cryptosystems is based on the problems of discrete logarithm or discrete factorization. These problems can be effectively solved using Shor's algorithm [4] on quantum computers. An alternative to such cryptosystems can be the McEliece cryptosystem [5], whose security is based on the problem of decoding a general linear code. In its original form, the McEliece cryptosystem is not semantically secure. The problem of constructing a semantically secure cryptosystem of the McEliece type is relevant. In [1] a modification has been constructed that possesses the strongest persistence property —the indistinguishability under adaptive chosen ciphertext attack (IND-CCA2). However, this property is achieved only in the random oracle model. This model was first used in [6] and means that protocol participants have access to some theoretical function (oracle). The oracle for any unique argument produces a truly random value and if the argument
repeats, the oracle repeats the corresponding output. In [7] a modification of McEliece cryptosystem is constructed that has the property of indistinguishability under chosen plaintext attack (IND-CPA) without using the random oracle model. In this case, one can say that the standard model is used. This modification was later used in [8] as a base cryptosystem to construct a system that has the IND-CCA2 property within the standard model. In [8] one information message is encrypted l times, which leads to a decrease in the information transfer rate by at least l times. It is important to note that l is the length of the digital signature key. To provide high security according to [9] the key length of the asymmetric cryptosystem underlying the digital signature algorithm should be at least 256 bits. From here, the rate of information transfer of the cryptosystem from [8] is essentially low. Consequently, the development of cryptosystems of the McEliece type with the IND-CCA2 property and the high information transfer rate is current of interest.
In the present paper, the goal is to construct a McEliece type cryptosystem that has the IND-CPA property. Further, using the ideas of [8], one can suppose that this system can be used as base cryptosystem for building the McEliece type encryption scheme with the IND-CCA2 property and a higher information transfer rate.
The paper has the following structure. In Section 1 2 we introduce the basic definitions. The Section 2 describes the McEliece cryptosystem [5] and its semantically secure modification [7]. Three new cryptosystems are also constructed here. Two of them are used in Section 3 to prove the semantic security of the third one. Section 4 proposes data transfer protocol using this modification.
1. Preliminaries
Let Fq be a Galois field of cardinality q, where q is the degree of a prime number, m = (m1,..., mn) E F^. The support of the vector m is the set supp(m) = {i : mi = 0} and the Hamming weight of this vector is a number wt(m) = |supp(m)|. For the vector m E Fn
and the ordered set u C {1,... ,n} we consider the projection operator n : Fn ^ F^1 acting according to the rule:
nw (m) = (mi!,.. .,miH), j E u, j = 1,..., |u|.
Let x E Fn, y E Fn, z E Fn, n1 + n2 = n, u C {1,... ,n}, |u| = n1, then z = x || y will be a concatenation of the vectors x and y. Denote z = x ||w y as merging of these vectors over an ordered set u. In other words, n(z) = x and n{1,...,n}\w(z) = y. Further we will use the standard notations for writing algorithms and experiments described in [10]. By y ^ A(x1, x2,...) we mean that the algorithm A runs with input parameters x1,x2,... and output value y. If the algorithm A has access to the output of the algorithm (oracle) O then we write y ^ AO(x1, x2,...). If S is a finite set, then s ER S denotes the operation of picking an element at random and uniformly from S. To denote an asymmetric encryption scheme we will use the triplet of algorithms, i.e. £ = (K, E, D), where 1) K is a probabilistic polynomial-time key generation algorithm which takes as input a security parameter N E N and outputs a public-key pk and a secret-key sk; 2) E is probabilistic polynomial-time encryption algorithm which receives as input a public-key pk and a message m, and outputs a ciphertext c. We will write {m}pfc as encryption of the message m with the key pk; 3) D is deterministic polynomial-time decryption algorithm which takes as input a secret-key sk and a ciphertext c, and outputs either a message m or a symbol ± in the case, when ciphertext is incorrect. Decryption of the ciphertext c on the secret key sk we will denote {c}^fc.
We say a function 7 : N ^ [0,1] is negligible in k, if Vc G N 3kc (7(k) ^ k-c for all k > kc).
Now we will consider the notions of the security of public key cryptosystems. The first one is the indistinguishability under chosen plaintext attack introduced in [2]. We will consider it in the same way as [8].
Let £ be an encryption scheme and let A = (Ai, A2) be an adversary. It should be noted that A is polynomial time if both probabilistic algorithm A1 and probabilistic algorithm A2 are polynomial time. Now one can consider the following experiment (Algorithm 1).
Algorithm 1. Expc£A
1: (pk.sk) ^ K(1N); 2: (mo, mi,st) ^Ai(pk); 3: b ^ {0,1};
4: c ^ {mb}cfc; 5: B ^ A2(c, st).
6: If B = b, then return 1, else return 0.
The meaning of this experiment can be explained by an example. Let £ be the basic RSA cryptosystem over ring Zn. The adversary selects two plaintexts using the algorithm A1 which generates messages randomly or by using some features of the cryptosystem. In the basic RSA cryptosystem the feature is the fact that {0}Ck = 0 G Zn for any pk. Let A1 always gives a pair (0,а, st), where a = 0 and st is the whole state information obtained during the run of A1. For instance st contains a public key pk and generated messages m0, m1. Then the experimenter selects random coin b and encrypts mb. The adversary's task, given the encryption c, is to determine which of the two plaintexts was encrypted. In the framework of this example, algorithm A2 can be trivial. In fact A2 checks whether the resulting cipher is a zero number. If it is, then A2 outputs 0 (corresponds to zero plain text), otherwise 1 (corresponds to plain text а).
The advantage of the adversary A is determined by the value
Advc£A(N) =
P[Expc£A = 1] - 2
where P[A] denotes probability of the event A. It is said that the cryptosystem £ has the property IND-CPA if for any polynomial algorithm A = (A1, A2) the advantage of AdvCA(N) is a negligible function in N.
Now let the adversary AD = (Af, A^) has access to the decryption oracle D. By AD{ } we mean that adversary Af has a polynomial number of queries to the oracle D. Let us consider the following experiment (Algorithm 2).
Algorithm 2. Exp^
1: (pk, sk) ^ K(1N); 2: (mo, m1, st) ^Aff}(pk); 3: b ^ {0,1}; 4: c* ^ {m6}Cfc;
5: B ^ Aff}(c*, st), and D{c*} =±; 6: If B = b, then return 1, otherwise 0.
The principal difference from the previous experiment is that the algorithms A1 and A2 have access to decryption oracle. The decryption oracle takes as input a ciphertext and for a polynomial time outputs the corresponding plain text. The only limitation is that this oracle can not be requested by the cipher text produced by the experimenter on step 4 (D{c*} =i). In [11], a practical attack on the RSA standard PKCS #1 was presented (the SSL protocol used that standard at that time), which was based on the idea of decryption oracle.
The advantage of adversary AD is
Adv^N) =
PiExp^2 = 1] - 2
It is said that the cryptosystem £ has the property IND-CCA2 if for any polynomial algorithm AD an advantage Adv^^N) is negligible function in N.
Further we need some notions from [12, p. 22-26]. Let X0 and X1 be finite random variables with the set of values D. Then the statistical distance is the function
¿(Xo,Xi) = 1 E | P[Xo = d] - P[Xi = d]|.
2 deD
Let A be a class of polynomial-time algorithms, which take a cipher text c and some state information st as input and output one bit. For example, within the framework of the experiment Exp^ algorithm A2 belongs to this class.
Then we will say that ciphertexts of two different cryptosystems £1 = (K, E1, D1) and £2 = (K, E2, D2) are indistinguishable by the class of polynomial algorithms A if for any information message m and for all A E A
¿(A({m}§1 ,st1), A({m}g2 ,3*2))
is a negligible function in N, where ph is generated by K(1N). It is not difficult to verify that for all A E A
i(A({m}gi,st1), A({m}g2,3*2)) = | P^tfm}^,3*1) = 0] - P^m}^,3*2) = 0]|.
Lemma 1. Let £1 = (K, E1, D1) and £2 = (K, E2, D2) are cryptosystems, £1 has the IND-CPA property. If ciphertexts of two different cryptosystems are indistinguishable by the class of polynomial algorithms A, then £2 has the IND-CPA property.
Proof. Suppose that there is an adversary A = (A1, A2) such that Adv^^N) is a function ^ that is not negligible in N. Now we construct the adversary algorithm B = = (B1, B2) on the basis of A and estimate Adv^P1aB(N). Let ph1 is public key generated by K. The algorithm B1 takes as input ph1 and generates public key ph2 using K. Then B1 calls the algorithm A1(ph2) and outputs a triplet (m0, m1, st1). Thus, in spite of different public keys, the outputs of B1(ph1) and A1(ph2) will be identical. The algorithm B2 simply calls the A2 algorithm from its input. Since the experiments Exp^p1^ and Exp^^ differ on fourth step, the outputs of the algorithms B2 and A2 may differ. Consider the statistical distance between their outputs. By the condition of the lemma, the ciphers are indistinguishable by the class of polynomial algorithms A. Since A2 belongs to this class, then | P[A2({m}pfc1i,st1)=0] — — P[A2({m}pk2, st2) = 0]| = n, where n is a negligible function in N. Because of B2 simply calls A2 we have
| P[B2({m}g!,s*1) = 0] - PWW^,s*2) = 0]| = n
It follows that Adv^ß(N) = ф ± n, as Adv^g(N) is directly related to the output of B2. But ф ± n is not a negligible in N. This contradicts the fact that Si has the IND-CPA property. ■
2. McEliece type cryptosystems
Consider the McEliece cryptosystem McE(C) on the linear [n, k, d]-code C(Ç F^, where n is the length, k is the code dimension, and d is the minimum code distance. Let G be the generating matrix of the code C, t = |_(d — l)/2j. A secret key sk is a pair (S, P), where S is a non-singular (k x k)-matrix over the field Fq, and P is a permutation (n x n)-matrix. A public key pk is a pair (G = SGP, t). Encryption of a message x G F^ is performed according to the rule
}pk
To decrypt the ciphertext y one should use an effective decoder DecC : Fn ^ F^ of the code C and the secret key sk:
{x}pMkcE = xG + e = y, wt(e) ^ t.
{y}McE = Decc (yP-1)S-1. (1)
For the same code C, we consider the modification McE' (C) of the McEliece type cryptosystem described in [7], where encryption rule has the form
{x}McEl = {x || v}McE = y, x G Fq, v Gr F;-'. (2)
To decrypt the ciphertext y, it is enough to apply the rule (1) and discard the last k — l symbols:
{y}MkcEl = {y}McE (/ II On-i)T,
where / is the unit (l x l) matrix, Ok-1 is the zero (k — l x k — l) matrix, and AT is the transposed matrix A.
On the basis of the cryptosystem McEz(C) we construct a new cryptosystem 2McEz(C), in which the message of length l is encrypted twice according to the rule (2):
{x}2McEi = {x}McEi ii {x}McEi = y, x G Fq. Then the decryption rule can be written in the form:
{y}2McEl = {y (/n II On)Tir.
Consider a subset Gz of permutations group Sk acting on the elements of the set {1,..., k} such that for any n G Gz the condition n(1) < ... < n(l) is satisfied. The set {n(1),..., n(l)} is denoted by . Note that |GZ| = Ck(k — l)!, since only Ck subsets of cardinality l are in the set of k elements, and for each such subset ш there is a class G(ш) С Sk permutations with cardinality |G(ш)| = (k — l)!. With every permutation n from Gz we associate a permutation (k x k)-matrix . Consider the cryptosystem w2McE'z with the encryption rule
{x}SMcE/l = {(x II V1 )Rn}MkcE II {(x II V2)Rn}MkcE = y, (3)
where x G Fq, Vj Gr Fk-z, i = 1, 2, n GR Gz. For decryption, in addition to the secret key sk, the recipient needs to know the matrix . Then the decryption rule takes the form
{y}SMf' = ({y (/n II On)T}MkcE ■ R-1 )(/z II Ok-z)T.
Finally, we construct a cryptosystem w2McE^ based on previous one with the following restriction: supp(v! — v2) = {1,..., k} \ wn. Then, for decryption, the recipient does not need the matrix . To find w, it suffices to compute the vector
z = {y (In II ora)T}McE — {y (On II /„)T}ffccE
and find its support supp (z). Then the decryption rule takes the form
{y}.2McEi = (z . R-1)^ II ofc_i)Ty e Gl(w), w = supp (z) .
3. Semantic security of McEliece type cryptosystems 3.1. S e c u r i t y a s s u m p t i o n s
Let McE(C) be the basic McEliece cryptosystem with security parameter N. The security of McE(C) is based on the problem of decoding a random linear code [5]. Note that, if there is no polynomial algorithm capable of distinguishing the (k x n)-matrix of the public key of the McE(C) cryptosystem from a random (k x n)-matrix with non-negligible probability in N, then the cryptosystem McE^C) has the IND-CPA property [7].
Further we will use two additional assumptions.
Assumption 1. There is no polynomial algorithm that can distinguish two random noisy codewords of the code C from random vectors with a non-negligible probability in security parameter N.
The assumption is based on the fact that at present there are no such polynomial algorithms. For example, recent algorithms [13-15] that solve the given problem are not polynomial.
Assumption 2. There is no polynomial algorithm that takes as input ciphertext c of the McE(C) and the number l e N, and outputs 0 if c corresponds to an information message of a weight less than l and outputs 1 if c corresponds to an information message of weight l with non-negligible distinguishing advantage in the N.
3.2. IND-CPA security of 2McE^(C)
It is easy to verify that the cryptosystem McE(C) is not IND-CPA-secure for an arbitrary [n, k, d]-code C. At the same time, the cryptosystem McE^(C) on the Goppa code C is IND-CPA-secure [7].
Let us consider the matrix G of the public key of the cryptosystem McE^(C) in the form
G = I Gl G2
where G1 is (l x n)-matrix and G2 is (kl x n)-matrix. To prove IND-CPA-security of cryptosystem 2McE^(C) consider the algorithm D = (D1,D2) and following experiment (Algorithm 3).
It is important to note that the algorithm D2 takes a decision only by two vectors and does not accumulate vectors.
Suppose that there exists a polynomial g(N), a polynomial algorithm D' = (Dl,D2) and an infinite subsequence of natural numbers (N1, N2,...) such that for all i = 1, 2,... the following inequality holds:
P[Expf.p,= 1] > 1 + q-N). <4)
Algorithm 3. Exp~ifl
mo );
b ^{0,1}.
If b =1, then c = {mo}™^, otherwise c Gr Ff.
4: B mo);
5: If B = b, return 1, otherwise 0.
In other words, the algorithm D' with a non-negligible probability distinguishes one pair of ciphertexts corresponding to one information message from a pair of random vectors. Let's construct one more algorithm WV and experiment Exp~if2 (Algorithm 4).
Algorithm 4. Exp~if2
b ^ {0,1}.
If b = 0, then y1, y2 GR F^, otherwise y = r,G2 + e,, r gr F^-1, wt(e,) ^ t, i =1, 2.
B ^ WV(yi, y2,GG2,t).
If B = b, then return 1, else 0.
In the experiment Exp-12^.^, given algorithm WD distinguishes two random noisy
codewords of the code with the generator matrix G2 from random vectors. From here, using D' one can construct polynomial algorithm WD' to solve this distinguishing problem (Algorithm 5).
Algorithm 5. WD'(y1,y2,G2,t) 1: mo ^ V1(N );
2: c' = (mo<Gi + yi) || (moGGi + y2). 3: Return D2(c', mo).
,.f 1 1
Given (4), we get : P[Exp~12 ,] ^ —|—-—-. But it contradicts the assumption 1.
G2,t,wv 2 q(Nj)
Hence we obtain that for any polynomial algorithm D' and any polynomial q(N), the following inequality holds:
PPxpG^W) = 1] - 1
< q(N). (5)
Note that for the experiment Exp~13^ (Algorithm 6) the probability of occurrence of 1 is also differs from 1/2 by a negligibly small function. Otherwise, based on corresponding algorithm, one can construct an algorithm WD'' with not negligible | PjExpg^,(N) = 1] - 1/2| in N.
Hence it follows that there is no polynomial algorithm Q that distinguishes the ciphertext {m0}2MIc.Ei from [{mil^0^' || {m2}M-cEi] with a probability that is not negligible
greater than 1/2 for any m0, m1, m2. Otherwise, we can construct the polynomial algorithm D = (D 1,-D2) (see Algorithm 7) for the experiment Exp~fl , which with a non-negligible probability would distinguish a pair of ciphertexts from a pair of random vectors, which contradicts the assumption.
Algorithm 6. Exp-^
mi, m2 ^ Mi(N); b ^ {0,1}.
If b =1, then c = [{mi}McE Il {m2}M?Ei], otherwise c Gr f2n.
b' ^ M2(c, mi, m2).
If B = b, return 1, otherwise 0.
Algorithm 7. D2(c0, m0)
mi, m2 ^ Mi(N);
ci = {mi}MfccEi ! {m2}MfccEi + c; v ^ {0,1}.
Return Q(cv, m0, mi + m0, m2 + m0).
Theorem 1. If the cryptosystem McE1(C) has the IND-CPA property, then the cryptosystem 2McE1(C) also has this property .
Proof. Suppose that the cryptosystem 2McE1(C) does not have the IND-CPA property. Then there exists a polynomial algorithm (adversary) A' = (Ai, A2), the polynomial p(N) and an infinite subsequence of natural numbers (N, N2,...) such that for all i = 1, 2,... the following inequality holds:
Advcpa
(Ni) ^
1
p(Ni)"
(6)
On the basis of the algorithm A' we construct the algorithm A'' = (Ai, A2') for the attack on the cryptosystem McEj. The algorithm A2' takes as input the ciphertext c = {mb}MfEi of the cryptosystem McE^(C) and two messages m0, mi; the algorithm A'2' randomly picks up the value v from {0,1} and returns the result A'2(c || {mv}M;cEi(C)). Then
P [Expcpa
McEi,A" 1
1] = 1 P[A'2({M}MfccEi(C) || {M'}MkcEl(C)) = 1|M = M']+
2
pfc
+1 P[A2({M}MkcEl(C) II {M'}McEl(C)) = 1|M = M'].
2 ' L• "2 U J pfc
From (6) we get | PA^M}^^ || {M'}^^) = 1|M from the explanation , which comes after the (5), we have
M'] - 1/21 ^ 1/p(Ni), and
P[A2({M}McEl(C) || {M'}McEl(C)) = 1|M = M'] - 2
<
q(N )•
In this way,
P [Expcpa
McE;,A"
1]-1
J 2
>
p(Ni)
± 0(N),
where 0(N) is a negligibly small function. Since
p(Ni)
± 0(N) is not a negligibly small
function, we have obtained that the cryptosystem McE^ (C) does not have the property IND — CPA, which contradicts the condition. ■
1
1
1
3.3. IND-CPA property for u2McEl(C)
Lemma 2. If the cryptosystem 2McE^(C) has the IND-CPA property, then the cryptosystem u2McEl (C) also has this property.
Proof. The encryption rule (3) can be rewritten as
{x};fc2McE'' = ((x || vi)RnG © ei) || ((x || V2)RnG © e2).
Denote G' = Rn G. Then we get
{x}rcE'' = ((x || ViG' © ei) || ((x || V2)G' © e2) = {x}M0E' || {x}M0E' = {x}pMcE',
where pk' = (GG', t). Thus by construction u2McEl (C) is the same as 2McE^ (C) but with different pair (pk, sk). From here u2McE^(C) also has the IND-CPA property. ■
Note, that adversary doesn't know the relationships between (pk, sk) and (pk',sk'). From here adding a permutation in the 2McE^(C) cryptosystem with the help of the set u can only increase the security.
3.4. IND - CPA -property for u2McE^(C)
Theorem 2. The cryptosystem u2McE^(C) has the IND-CPA property if the cryptosystem u2McEl (C) has this property.
Proof. For the proof it is sufficiently to show that the ciphertexts of cryptosystems u2McE^(C) and u2McEl(C), corresponding to one information message, are indistinguishable by the class of algorithms A. We fix an arbitrary m and consider the ciphertexts of cryptosystems u2McE^ (C) and u2McEj(C) as a system of the form:
r , w2McE' = X|,y iX = mGi © riG2 © ^
{m}pk " , \y = mGi © (1 © ri)G?2 © e2,
r , w2McE'' = X || y' f X = miGGi © riG © e'l, {m}pk " , \y' = miGi © r2GG2 © e'2.
Denote r'2 = ri © r2. Then the systems can be rewritten:
r iu2McE^ ^ v JX = mG2 © riG2 {m}»fc ' = X || y J
X = mGi © nG£ © ei, pk = X 11 V = mGi © riG£ © 1G£ © e2,
r , w2McE'z = X || y' iX = mGG2 © ri(G2 © e'i^
{m}pk || , \y' = mG22 © riGG2 © r'2GG2 © e'2.
Now we consider the last parts of Y and y: LP = 1G£ © e2 and LP' = r'2G£ © e'2. Denote Z as Y = Z © LP and Z' as Y' = Z' © LP'. Since (5) we get that the rest X || Z' does not provide any information about LP. One should note that X || Z' = X || Z. From here X || Z' does not provide any information about LP'. Consequently, to distinguish the ciphertexts one should distinguish LP and LP'. A vector LP of the form 1G£ © ei can be rewritten as (0 || 1)RnG © ei. Thus, for a random choice of u, LP is a ciphertext of basic McEliece cryptosystem corresponding to a random information message with a fixed weight l. The vector LP' = (ri © r2)G£ © ei can similarly be rewritten as (0 || ri © ©r2)RnG©ei and is also a ciphertext of the basic McEliece cryptosystem, but corresponding
to a random information message of arbitrary weight not exceeding l. By Assumption 2, algorithm for distinguishing vectors of this kind does not exist. Hence the ciphertexts of cryptosystems w2McE^(C) and w2McEl (C), corresponding to one information message, are indistinguishable by the class of algorithms A. ■
4. Implementation of w2McE
We suppose a possible implementation of w2McE to modify k-repetition scheme [8]. The idea of k-repetition scheme is to encrypt information message k-times using INC-CPA-secure cryptosystem £. Encryption of k-repetition scheme has the form {m}pfci || || {m}pfc2 || ... || {m}pfcfc. Note that to encryption requires k unique key pairs. We suggest use w2McE in k-repetition scheme with some modifications. The idea of our modification is to encrypt k/2 information messages using only one set w. So encryption will take the form {m1}pk21McE || {m2}p|2McE || ... || {mk/2}pk2fcM2cE. In fact, it also requires to encrypt k-times. Let us remind that k is the length of signature key and should be more than 512. However, our construction transmits k/2 information messages. From here, with this approach, the data transfer rate will increase by k/2 times.
REFERENCES
1. Kobara K. and Imai H. Semantically secure McEliece public-key cryptosystems — conversions for McEliece PKC. LNCS, 2001, vol. 1992, pp. 19-35.
2. Goldwasser S. and Micali S. Probabilistic encryption. J. Computer and System Sciences, 1984, vol. 38, no. 2, pp. 270-299.
3. Bellare M. and Rogaway P. Optimal asymmetric encryption — how to encrypt with RSA. Advances in Cryptology — EUROCRYPT'94, Springer Verlag, 1995, pp. 92-111.
4. Shor P. Algorithms for quantum computation: discrete logarithms and factoring. Proc. 35th Ann. Symp. FCS, Santa Fe, USA, IEEE Publ., 1994, pp. 124-134.
5. McEliece R. J. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 1978, vol.42, no. 44, pp. 114-116.
6. Bellare M. and Rogaway P. Random oracles are practical: A paradigm for designing efficient protocols. CCS '93 Proc. 1st ACM conf. CCS'93, N.Y., ACM, 1993, pp. 62-73.
7. Nojima R., Imai H., Kobara K., and Morozov K. Semantic security for the McEliece cryptosystem without random oracles. Designs, Codes and Cryptography, 2008, vol. 49, no. 1-3, pp. 289-305.
8. Dottling N., Dowsley R., Muller-Quade J., and Nascimento C. A. A. A CCA2 secure variant of the McEliece cryptosystem. IEEE Trans. Inform. Theory, 2012, vol. 58, no. 10, pp. 6672-6680.
9. Lenstra A. K. and Verheul E. R. Selecting cryptographic key sizes. J. Cryptology, 2001, vol. 14, no. 4, pp. 255-293.
10. Bellare M., DesaiA., Pointcheval D., and Rogaway P. Relations among notions of security for public-key encryption schemes. Advances in Cryptology — CRYPTO'98, LNCS, 1998, vol.1462, pp. 26-45.
11. Bleichenbacher D. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1. Advances in Cryptology — CRYPTO'98, LNCS, 1998, vol.1462, pp.255-293.
12. Cramer R., Damgard I., and Nielsen J. B. Secure Multiparty Computation and Secret Sharing. Cambridge, Cambridge University Press, 2015. 373 p.
13. Kosolapov Y. V. and Turchenko O. Y. Primenenie odnogo metoda raspoznavaniya koda dlya kanala s podslushivaniem [Application of one method of linear code recognition to the wire-tap channel]. Prikladnaya Diskretnaya Matematika, 2017, no. 35, pp. 76-88. (in Russian)
14. Chabot C. Recognition of a code in a noisy environment. Proc. IEEE ISIT, Nice, France, 2007, pp.2211-2215.
15. Yardi A. D. and Vijayakumaran S. Detecting linear block codes in noise using the GLRT. IEEE Intern. Conf. Communications, Budapest, Hungary, 2013, pp. 4895-4899.
