New Approach for CCA2-Secure Post-Quantum Cryptosystem Using Knapsack Problem

Abstract — Chosen-ciphertext security, which guarantees confidentiality of encrypted messages even in the presence of a decryption oracle, has become the de facto notion of security for public-key encryption under active attack. In this manuscript, for the first time, we propose a new approach for constructing post-quantum cryptosystems secure against adaptive chosen ciphertext attack (CCA2-secure) in the standard model using the knapsack problem. The computational version of the knapsack problem is NP-hard . Thus, this problem is expected to be difficult to solve using quantum computers. Our construction is a precoding-based encryption algorithm and uses the knapsack problem to perform a permutation and pad random fogged data to the message bits. Compared to other approaches in use today, our approach is more efficient and its CCA2 security in quantum environment can be reduced in the standard model to the assumption that the knapsack problem is intractable. Furthermore, we show that our approach is a general paradigm and can be applying to any (post-quantum) trapdoor one-way function candidate.

Index Terms — CCA2-security, Encoding, Knapsack problem, Post-quantum cryptosystem, Standard model

I. INTRODUCTION HE notion of public-key cryptography was introduced by Diffy and Hellman [18] and the ultimate goal of public-key Tencryption is the production of a simple and efficient encryption scheme that is provably secure in a strong security model under a weak and reasonable computational assumption. The accepted notion for the security of a public-key encryption scheme is semantically secure against adaptive chose ciphertext attack (i.e. IND-CCA2) [37]. In this scenario, the adversary has seen the challenge ciphertext before having access to the decryption oracle. The adversary is not allowed to ask the decryption of the challenge ciphertext, but can obtain the decryption of any relevant cryptogram (even modified ones based on the challenge ciphertext). A cryptosystem is said to be CCA2-secure if the cryptanalyst fails to obtain any partial information about the plaintext relevant to the challenge cryptogram. In order to design CCA2-secure cryptosystems, a lot of successes were reached but these successes tend to fall into two categories: the production of very efficient encryption schemes with security proofs in random oracle models, and the production of less efficient encryption schemes with full proofs of security in standard models. The ultimate prize has yet to be claimed. The random oracle model was introduced by Bellare and Rogaway [5]. In this model, hash functions are considered to be ideal, i.e. perfectly random. We stress that although a proof in the random oracle model has a certain value it is still only a heuristic security argument for any implementation of the scheme. In particular, there exist cryptographic schemes that are provably secure in the random oracle model yet that are insecure with any possible standard model instantiation of the hash function [10]. The approaches for constructing encryption schemes secure in the standard model (i.e., without the use of heuristics such as random oracles) tend to fall several categories [17]. • The first approach is to use a “double-and-add” technique, in which a message is encrypted twice and a checksum value is added to the ciphertext. We can divide these schemes in two categories: The NIZK Schemes [33] and the Cramer-Shoup encryption Scheme [16]. • Signature and identity-based schemes are another approach for constructing IND-CCA2 scheme. The Canetti-Halevi-Katz transform [11] and the Dolev-Dwork-Naor scheme [19] are the most important cases in this area. • Extracting plaintext awareness is the third technique. Two methods are used: plaintext awareness via key registration and using Extractors [4, 21]. The cryptosystems were introduced with the above techniques are based on assumptions related to the integer factoring (IF) and discrete logarithm (DL) problems, such as: decisional quadratic residuosity (DQR) assumption, Paillier’s decisional composite residuosity (DCR) assumption, RSA assumption, decisional Diffie-Hellman (DDH) assumption, Computational Diffie-Hellman (CDH) assumption, Bilinear Computational Diffie-Hellman (BCDH) assumption, etc. In 1994, Shor [42] conceived a polynomial-time algorithm which solves IFP and DLP using quantum computers. Therefore, these schemes cannot be used to provide security protections any longer and public-key cryptosystems secure in quantum computing environments

Manuscript received November 29, 2012. R. Rastaghi is with the Department of Electrical Engineering, Aeronautical University of Since & Technology, Tehran, Iran. This work was supported by IRIAF Cyber Defense Center. need to be developed. Public-key cryptosystems that can resist these emerging attacks are called quantum resistant or post- quantum cryptosystems. A. Related work There are mainly four classes of public-key cryptography that are believed to resist quantum attacks [6]. • Lattice-based cryptography • Code-based cryptography • Hash-based digital signature schemes • Multivariate cryptography Each approach has unique advantages and disadvantages. It has been shown that many of these post-quantum cryptosystems are not CCA2-secure [7, 23] and most of the cryptosystems have been proposed to deal with CCA2 adversaries are in the random oracle model. In recent years, Lattice-based and Code-based cryptography have been further considered in the design of post-quantum CCA2-secure cryptosystem. Here we present a summary of the work done in each case. • Lattice-based cryptography. For the first time, Peikert and Waters [35] propose a CCA1-secure cryptosystem based on the worst-case hardness of lattice problems using the notion of lossy All-But-One (ABO) trapdoor functions. Subsequently, Peikert [36] showed how to construct a correlation-secure trapdoor function family from the learning with errors (LWE) problem, and used it within the Rosen-Segev scheme [40] to obtain another lattice-based CCA1-secure scheme. Unfortunately, the latter scheme suffers from long public-key and ciphertext length of Ω(n2 ) in the security parameter n ,

even if applied in the Ring-LWE setting [43]. Recently, Micciancio and Peikert [31] give new methods for generating simpler, tighter, faster and smaller trapdoors in cryptographic lattices to achieve a CCA1-secure cryptosystem. Their methods involve a new kind of trapdoor, and include specialized algorithms for inverting LWE, randomly sampling SIS preimages, and securely delegating trapdoors. More constructions of IND-CCA2 secure lattice-based encryption schemes can be obtained by using the lattice-based selective-ID secure identity-based encryption (IBE) schemes of [1, 2, 3, 39] within the generic construction of [8], and a one-time signature or commitment scheme. Recently, Steinfeld et al. [43] introduced the first CCA2 secure variant of the NTRU in the standard model with a provable security from worst-case problems in ideal lattices . They construct a CCA1-secure scheme using the lossy trapdoor function framework of Peikert and Waters, which they generalize to the case of (k − 1) -of- k -correlated input distributions. For full CCA2 security and non-malleability, all the above schemes suggest using a strongly unforgeable one-time signature scheme, a message authentication code (MAC) or commitment scheme for transfer CCA1-secure schemes to a CCA2-secure one. So, all of these approaches require separate encryption and checksum operations . Hence, the resulting encryption schemes require two expensive calculations. • Code-based cryptography. The first cryptosystem based on the hardness of decoding random linear codes was presented in 1978 by McEliece [27]. The first CCA2-secure variant of McEliece scheme in the random oracle model is the conversions of Kobara and Imai [26]. Recently, Cayrel et al. [13] present efficient implementations of McEliece variants using quasi- dyadic codes. They provide secure parameters for a classical McEliece encryption scheme based on quasi-dyadic generalized Srivastava codes, and convert their scheme to a CCA2-secure one in the random oracle model by applying the Fujisaki-Okamoto transform. For the first time, Döttling et al. [20] showed how we can construct CCA2-secure McEliece variant cryptosystem using correlated products in the standard model. They construct IND-CPA verifiable k-repetition McEliece scheme by modifying Nojima et al. [34] randomized version of the McEliece with Bernoulli error distribution. Their scheme obtains CCA2-security in the standard model by using one-time strongly unforgeable signature scheme. All the above concrete constructions of lossy trapdoor function and correlated inputs function are based on decisional assumptions [25, 28]. It is widely believed that computational assumptions are more standard than their decisional versions. Furthermore, IND-CCA2 for almost all proposed post-quantum cryptosystems is based on strongly unforgeable one-time signature schemes (or MACs). The drawback of the one-time signature schemes is that one key-pair consisting of a secret signature key and a public verification key can only be used to sign and verify a single document. This is inadequate for most applications [6]. Moreover, both the double-and-add schemes and the identity-based schemes require separate encryption and checksum operations. Hence, the resulting encryption schemes require two expensive calculations. B. Motivation Challenges in the post-quantum cryptography include efficiency, reliability and usability. Motivated by the task of constructing a simple and efficient public-key encryption scheme which is post-quantum CCA2-secure in the standard model , we initiate the study of NP-hard problems for constructing such schemes. It is believed that the quantum computer cannot solve NP-hard problems. The knapsack problem has proven to be NP-complete. The computational version of the knapsack problem is NP-hard , thus this problem is expected to be one of the difficult problems against the quantum computer. The knapsack scheme is also attractive at the standpoint of encryption and decryption speed. Only integer additions are required for the encryption in the knapsack scheme. This feature confers a practical advantage that the encryption can be lightly implemented on small IC chips. C. Overview We introduce a novel approach for constructing CCA2-secure post-quantum cryptosystem in the standard model based on the knapsack problem. Our construction is a randomized precoding-based algorithm and uses the knapsack problem to perform a permutation and pad random fogged data to the message bits. For this reason, we firstly choose a random binary string n {x1 , x 2 ,… , x n }∈ r {0,1} and then use it to divide message bits into several blocks with equal length v . Then, some random fogged blocks (RFBs) with equal length s are padded to the message blocks. Encoding information includes position of the message (and RFB) blocks and the lengths of them are encrypted with a secure knapsack-based PKC and send to the receiver. Since encryption and decryption in the knapsack-based cryptosystems are very fast, compared to other approaches, our method is very efficient. The main novelty is that we introduce a heuristic encoding algorithm and correlate the encoding parameters to the knapsack problem. Thus, the CCA2 adversary for extracting the message from challenge cryptogram must first recover encoding parameters from the knapsack-based cryptosystem. Our proof makes direct use of the fact that the underlying primitive is a trapdoor one-way permutation, rather than the knapsack problem and the scheme’s consistency check can be directly implemented by the simulator without having access to some external gap-oracle (as in [8, 9, 24]) or using other extrinsic rejection techniques (such as “hash proof systems” [1, 5, 16] or “twinning” [12]). Thus, our proof technique is fundamentally different from all known approaches to obtain CCA security. The rest of this manuscript is organized as follows: In the following section, we briefly explain some mathematical background and definitions. Then, in Section 3, we introduce our proposed scheme. Performance and security analysis of this cryptosystem will be discussed in Section 4 and finally, in section 5, we will give a general form of the proposed scheme that can be applying to any (post-quantum) trapdoor one-way function candidate.

II. PRELIMINARY

A. Notation k We will use standard notation. If X is a string, then X denotes its length. If k ∈ ℕ then {}0,1 denote the set of k-bit strings, * 1k denote a string of k ones and {}0,1 denote the set of bit strings of finite length. y← x denotes the assignment to y of the value x. For a set S, s← S denote the assignment to s of a uniformly random element of S. For a deterministic algorithm A , we write x← AO ( y , z ) to mean that x is assigned the output of running A on inputs y and z, with access to oracle O . If A is a probabilistic algorithm, we may write x← AO (,, yzR ) to mean the output of A when run on inputs y and z with oracle access to O and using the random coins R . If we do not specify R then we implicitly assume that the coins are selected uniformly at

∞ random from 0,1 . This is denoted x← AO ( y , z ) . We denote by Pr[E ] the probability that the event E occurs. If a and b are {} two strings of bits, we denote by a|| b their concatenation. The bit-length of a denoted by Len(a ) , Lsb (a ) means the x1 right x bits of a and Msb (a ) means the left x bits of a. 1 x2 2 B. Public-Key Encryption Schemes A public-key encryption scheme is defined as follows: Definition 1: (Public-key encryption). A public-key encryption scheme (PKE) is a triple of probabilistic polynomial time (PPT) algorithms (Gen,Enc,Dec) such that: k • Gen is a probabilistic polynomial-time key generation algorithm which takes a security parameter 1 as input and outputs a public-key pk and a secret-key sk . We write (pk , sk )← G (1k ) . The public-key specifies the message space MsgSp (pk ) and the ciphertext space CiphSp (sk ) . • Enc is a (possibly) probabilistic polynomial-time encryption algorithm which takes as input a public key pk, a m∈MsgSp ( pk ) and random coins r , and outputs a ciphertext C∈CiphSp ( pk ) . We write Enc(pk , m; r ) to indicate explicitly that the random coins r is used and Enc(pk , m ) if fresh random coins are used. • Dec is a deterministic polynomial-time decryption algorithm which takes as input a secret-key sk and a ciphertext CCiphSp pk mMsgSp pk m C sk ∈ ( ) , and outputs either a message ∈ ( ) or an error symbol ⊥ . We write ← Dec( , ) . • (Completeness) For any pair of public and secret-keys generated by Gen and any message m∈MsgSp ( pk ) it holds sk pk m;r m that Dec( ; Enc( , )) = with overwhelming probability over the randomness used by Gen and the random coins r used by Enc . Semantic security (a.k.a. indistinguishability) against adaptive chosen ciphertext attacks (IND-CCA2) is the strongest known notion of security for the public-key encryption schemes. This notion of security simply means that a cryptogram should not reveal any useful information about the message. This type of attack is the most powerful attack, which is defined by Rackoff and Simon [37]. In this scenario, the adversary has seen the challenge cryptogram before having access to the decryption oracle. The adversary is not allowed to ask the decryption of the challenge cryptogram, but can obtain the decryption of any relevant cryptogram (even modified ones based on the challenge cryptogram). A cryptosystem is said to be IND-CCA2 secure if the cryptanalyst fails to obtain any partial information about the plaintext relevant to the challenge cryptogram. This notion is known to suffice for many applications of encryption in the presence of active attackers including secure P2P transmission, secure communication, auctions, voting schemes, and many others. Indeed, CCA security is now widely accepted as the standard security notion for public-key encryption schemes. In recent years, attempt to design cryptosystems secure against adaptive chosen ciphertext attack is increased, but no efficient cryptosystems in the standard model were introduced. Definition2 (CCA2-security). A public-key encryption scheme PKE is secure against adaptive chosen-ciphertext attacks (i.e. A A A IND-CCA2) if the advantage of any two-stage PPT adversary = (1 , 2 ) in the following experiment is negligible in the security parameter k :

cca 2 ExpPKE, A (k ): (pk , sk )← Gen(1k )

(,,)m m state←ADec(sk ,.) () pks.t. m = m 0 1 1 0 1 b ← {0,1} * C← Enc( pk , m b )

b' ADec(sk ,.) C* state ← 2 ( , ) If b= b ' return 1, else return 0.

The attacker may query a decryption oracle with a ciphertext C at any point during its execution, with the exception that A2 * ' Dec(sk ,.) * is not allowed to query Dec(sk ,.) with C . The decryption oracle returns b← A2 ( C , state ) . The attacker wins the game if cca 2 b= b' and the probability of this event is defined as Pr[ExpPKE, A (k )] . We define the advantage of A in the experiment as

IND-CCA-2cca 2 1 AdvA (k )= Pr[Exp A ( k ) =1 ] − . PKE, PKE, 2

A. Knapsack-based public-key cryptosystem Knapsack public-key encryption schemes are based on the subset sum problem. The subset sum problem is to find the n (x , x ,… , x )∈ {0,1} C= ax + ax,… + ax a, a ,… , a solution 1 2 n such that 11 22 n n for given positive integers 1 2 n and C which is the sum of a subset of the ai . This problem is known to be NP-hard [30, 32]. Thus, the subset sum problem is expected to be hard to solve using quantum computers. The knapsack scheme is also attractive at the standpoint of light-weight encryption. In the public-key schemes using DLP or IFP, the large modulo exponentiations are required for the encryption and decryption. This operation is a little bit heavy to implement on small IC chips. On the other hand, only integer additions are required for the encryption in the knapsack scheme. This feature confers a practical advantage that the encryption can be lightly implemented on small IC chips and can be performed in much shorter time than the schemes using DLP or IFP. These reasons described above have motivated us to investigate knapsack-based public-key cryptosystems. The first knapsack-based PKC was introduced by Merkle and Hellman [29]. Since its proposal, knapsack-based PKC have been widely studied and many knapsack-based PKCs were developed. Nevertheless, many knapsack cryptosystems were shown insecure against some known attacks, such as low density attack [14], Shamir’s attack [41], and lattice basis reduction algorithms [38], etc. The basic idea is to select an instance of the subset sum problem that is easy to solve, and then disguise it as an instance of the general subset sum problem, which is hopefully difficult to solve. The original knapsack set can serve as the private key, while the transformed knapsack set serves as the public key [30]. I. THE PROPOSED CRYPTOSYSTEM In this section, we introduced our proposed encryption scheme. Our scheme is a precoding-based algorithm that uses knapsack problem for performing a permutation and pad random fogged data to the message. A. The Proposed Idea Let we can decide to encrypt message m ∈ {0 , 1 } n with Len (m ) = n . For perform a randomized encoding to the message, we l firstly choose a random binary vector X= (, xx1 2 ,… ,) x l with hamming weigh h where h= ∑i=1 x i . We will call this vector cargo (carrier) vector which carries the encoding information. If hn , then n/ h is not an integer and we pad a random binary string (RBS) with length h.  nh  − n to the right of m. Otherwise, n/ h is an integer and we don’t need to pad a RBS to the right of m. In each case, we can divide m into h blocks d1|| d 2 ||... || d h with binary length v=  n h  where

dh=Lsb m ( nh − ( − 1 ). nh  )|| RBS . Thus, if h∣ n , then RBS = φ (the empty set) and dh=Lsb m ( nh − ( − 1 ). nh  ) , else, RBS is a random block with binary length h. nh  − n and we have dh=Lsb m ( nh − ( − 1 ). nh  )|| RBS . We perform a random permutation and pad some random fogged blocks (RFBs) with equal binary length s into the message v v s blocks di,1≤ i ≤ h using permutation function f :,{}{}{}{}01× 01 , → 01 , × 01 , , that can be defined as follows:

' di if x i =1 fxd(i , i ) = d i =  . RFB if x i = 0

Notice that in order to prevent excessive increase in the message length, we can choose s small enough. The message ' ' ' m'= ( d1|| d 2 || ... || d l ) is called encoded message. We summarize encoding process in algorithm1.

Algorithm1: Permutation and random data padding

Input: m← (, mm1 2 ,,… m n ) and random binary vector X= (, xx1 2 ,… ,) x l . ' ' ' Output: Encoded message m'= ( d1|| d 2 || ... || d l ) .

SETUP: 1. If h| n then v← n h ;

else v←  n h  and choose a RBS with Len (h . nh  − n )

and m← ( mm1 , 2 ,… , m n RBS )) ; h. nh  − n

2. Divide m into h blocks (d|| d || ... || d ) with Len(d ) = v,1 ≤ i ≤ h . 1 2 h i PERMUTATION AND PADDING:

1. Randomly chose integer s . 2. For i=1 to l do: ' If x =1 then d← d i ; i i x ∑ j=1 j else

d' ← RFB with binary length s . i ' ' ' Return m'= ( d1|| d 2 || ... || d l )

We illustrate algorithm1 with small example. Suppose m= (,,, mm1 2… m 127 ) and X = (0,1,0,1,1,0,1,0,1,1,1,0,1,1,1,0,1,0) . SETUP: hl x v= n h  = 12 We have Len(m ) = n = 127 , l = 18 , =∑i=1 i = 11 . Since 11 127 so   and we must pad a random block with length Len(h . nh  − n ) = 5 to the right of m. If we randomly chose 1, 0 ,,, 11 0 , we have m= ( mm1 , 2 ,… , m 127 ,,,,,)1 0 11 0 . Since h = 11 , the Len{5 } v mmmm= (,..., ,, … m .. . m ,, … m ,,,,,)1 0 1 1 0 algorithm divides m into 11 blocks with equal length =12 . We have 1 12 13 24 121 127 . d1d 2 d 11

Which Lsbm (nhnh−− (1 ).  ) = Lsb m ( 7 ) = m121 ,… , m 127 . PERMUTATION AND PADDING: Firstly, we choose random integer s, say s = 4 . We have x = 0 d' ←RFB#1 = ( 0110 ,,, ) (0,1,1,0) 1 , thus 1 where is randomly chosen by algorithm1. ' x =1, thus d← d2 = d . 2 2x 1 ∑ j=1 j x = 0 d' ←RFB#2 = ( 1010 ,,, ) (1,0,1,0) 3 , thus 3 where is randomly chosen by algorithm1. . . . ' x =1, thus d← d17 = d . 17 17x 11 ∑ j=1 j ' x18 = 0 , thus d18 ←RFB#7 = ( 0010 ,,, ) where (,0 0 ,, 1 0 ) is randomly chosen by algorithm1. l− h RFB blocks with equal length s = 4 are combined with the message blocks d, 1 ≤ i ≤ h , to produce the encoded i ' '' ' m'= (0110, , , m ,..., m … 101 ,,, 0 ... m , , m ,,,,,1 0 1 1 0 message m= ( dd1 2 ... d l ) . In the final, algorithm output m' as 1 12 121 127 d'' d ' ' 1d2 3 d17

0,0,1, 0 ) . ' d18 x=1, 1 ≤ i ≤ l As we see, the length and position of the message blocks are correlated to the number and position of i respectively, and completely random. B. The proposed scheme 1) Key Generation Algorithm ∏ = (Gen, Enc , Dec ) (,b b ,… ,) b Suppose Knap Knap Knap be a secure knapsack-based PKE and 1 2 l be the secret key and l {(aa1 , 2 ,… , al ), M } be the public key, where M> ∑i=1 a i is a module.

2) Encryption algorithm To encrypt message m ∈ {0 , 1 } n , the sender do the following steps: X= (, xx ,… ,) x h. • Choose random cargo vector 1 2 l with hamming weight Execute algorithm1 for generate encoded ''' ' message mdd= (1 2 ... d l ) from message m . • Suppose y be the decimal representation of m' . Compute: l C= y − h C=Enc ( X ) = ax . 1 , 2 Knap ∑ i i i=1 and send ciphertext C= ( C1 , C 2 ) to the receiver. Fig.1 shows the encryption process. Message m, with Len( n)

Generate pseudorandom binary m m... m vector (x1 , x 2 ,..., x l ) 1 2 n

h x x... x 1 2 l d1 d 2 ... d h

Encoding Process

d'1 d' 2... d'l− 1 d' l

y Knapsack-based Data path cryptosystem y-h Process path

Ciphertext C1 Ciphertext C 2

Fig.1: Encryption Process

3) Decryption algorithm

Receiver after receiving C= ( C1 , C 2 ) , performs the following steps for extract message m : X= (, xx ,… ,) x X=Dec ( C ) h= ∑l x v n h  • Compute random binary vector 1 2 l as Knap 2 , i=1 i and = /  .

• Compute y= C1 + h . • Suppose m' is the binary coded decimal (BCD) of y . Computes s=(Len( m' ) − n ) / ( l − h )  and reject the ciphertext 1 C= ( C1 , C 2 ) if s is not an integers (consistency check ). • The lengths and position of the message (and RFB) blocks are explicit, therefore, the receiver simply can separate RFB

blocks from encoded message m' and extract message blocks di , 1≤ i ≤ h with the following algorithm.

Algorithm 2 : Extractor

l Input: X= (, xx1 2 ,… ,) x l , h= ∑i=1 x i , s and m'

Output: Message mdd= (1|| 2 || ... || d h ) .

1. For i=1 to l do:

If xi = 0 then m'←LsbLen(m' ) − s ( m' ) ; else

di ← Msb ( m' ) and m'←Lsb ( m' ) ; x v Len(m' ) − v ∑ j=1 j

2. m←( dd|| || ... || d l ) 1 2 x ∑ j=1 j

3. If hn , then m←Msb ( m ) (remove right (h . nh  − n ) bits of m). n   Return “ m ”

1 Verify whether the encoding information is correct or not II. PERFORMANCE AND SECURITY ANALYSIS

A. Security Analysis In this section, we analyze the CCA2-security of the proposed cryptosystem built using a pre-coding procedure with the knapsack-based cryptosystem. The most common strategy to prove a scheme is secure is to provide a security reduction in which an instance of a hard mathematical problem is embedded in the public-key and challenge ciphertext in such a way that (a) a polynomial-time attacker cannot distinguish this “simulated” public key/challenge ciphertext from the inputs that it would expect to receive in the IND-CCA2 security game and (b) a successful attack against the scheme implies a solution to the hard problem (with non-negligible probability).

Theorem1 ∏ = (Gen, Enc , Dec ) : If knap knap knap be a secure knapsack-based cryptosystem, then the proposed scheme is post- quantum CCA2-secure in the standard model. Proof: C*= ( C * , C * ) Suppose that 1 2 be the challenge ciphertext. In the CCA-2 scenario, the adversary is not allowed to ask the decryption of the challenge ciphertext, but can obtain the decryption of any relevant cryptogram (even modified ones based on the challenge ciphertext). Let Si be the event that the adversary A wins in Game i . Here is the sequence of games.

Game 0. We now define a game, called Game 0, which is an interactive computation between an adversary A and a simulator . This game is usual CCA2 game used to define CCA2-security, in which the simulator provides the adversary’s environment. Initially, the simulator runs the key generation algorithm and gives the public key to the adversary. The adversary submits two messages m0, m 1 , which are bit strings of equal length, to the simulator. The simulator chooses b∈{0,1} at random, * * * * * and encrypts mb , obtaining the challenge ciphertext C= ( C1 , C 2 ) . The simulator gives C to the adversary. We denote by X , * * * * h and y= C1 + h the corresponding intermediate quantities computed by the encryption algorithm. The only restriction on the adversary’s requests is that after it makes a challenge request, the subsequent decryption requests must not be the same as ɶ ɶ the challenge ciphertext. At the end of the game, the adversary A outputs b∈{0,1} . Let S0 be the event that b= b . Since Game 0 is identical to the CCA2 game we have that

IND-CCA-2 1 AdvA (k )= Pr [ S ] − PKE, 0 2 and our goal is to prove that this quantity is negligible. We prove this by considering other games, Game 1, Game 2, etc. These games will be quite similar to Game 0 in their overall structure, and will only differ from Game 0 in terms of how the simulator works. However, in each game, there will be ɶ X ɶ well defined bits b and b , so that in Game i , we always define i to the event that b= b in that game. All of these games should be viewed as operating on the same underlying probability space.

Game 1 . Define Game 1 as identical with Game 0, except that h= h * .

Lemma 1: There exists an efficient adversary A1 such that:

Knap Pr[S1 ]− Pr[ S 0 ] ≤ AdvA ( k ) (1) 1,RECOVER( m b ) By the assumption that the Knapsack problem is intractable, we have that AdvKnap (k ) is negligible. A1,RECOVER( m b )

Proof: Let ε(k )= Pr[ S ] − Pr[ S ] . We can easily build an adversary A that decides to recover m from Game 1. The 1 0 1 b * * * adversary A1 queries on input (,CC12 )(,≠ CC 12 ) , h= h . It then runs a “hybrid Game 0/1” as the simulator. In this hybrid game, the simulator follows the instructions of Game 0, except that when the challenge ciphertext is created it uses h= h * . The * * * ɶ adversary A1 runs Game 0/1 on input (C1≠ CC 12 , ≠ C 2 ), hh = , and outputs 1 if b= b , and outputs 0 otherwise.

Since (,CC )(,≠ CC* * ) , h= h * , the simulator computes v= nh/ *  = v * , yC= + h* ≠ y * and 12 12   1 * *  * * s=(Len(BCD ( Chnlhs1 +−−≠ )) ) / ( )  . If s is not an integer, then simulator rejects the ciphertext. Since C2≠ C 2 , thus X≠ X * and so, the position of the message (and RFB) blocks and the length of the RFB blocks are not explicit ( s≠ s * ). Furthermore, because of the intractability of the knapsack problem, the adversary cannot recover X from C2 . The attacker can modify C A cryptogram 2 for query from simulator, but 1 ’s advantages is negligible (see proof of lemma 2). Thus, it cannot m (C , C ) A correctly remove RFB blocks from encoded message m' in order to extract message b from 1 2 and so, the 1 ’s Knap Knap advantage of this Game is exactly equal to ε(k ) . By definition of AdvA (k ) , we have ε(k )≤ AdvA ( k ) . 1,RECOVER( m b ) 1,RECOVER( m b )

* Game 2 . Define Game 2 as identical with Game 0, except that C1= C 1 .

Lemma 2: There exists an efficient adversary A2 such that: Knap Pr[S2 ]− Pr[ S 0 ] ≤ AdvA ( k ) (2) 2,RECOVER( m b ) By the assumption that the Knapsack problem is intractable, we have that AdvKnap (k ) is negligible. A2 ,RECOVER( m b )

Proof: ε(k )= Pr[ S ] − Pr[ S ] A m ε(k ) Let 2 0 . Consider adversary 2 that hopes to recover b from this Game with advantage . * l For recover message mb , the adversary A2 must first recover random binary vector X from C2 = ∑i=1 ai. x i . Since the l * * knapsack problem is intractable, thus A2 cannot recover X from C2 = ∑i=1 ai. x i . Furthermore, since C2≠ C 2 , thus X≠ X . So, the probability of success for A2 is negligible. The adversary A2 can modify cryptogram C2 for query by the simulator. If C∉CiphSp ( pk ) , then C is not a legitimate cryptogram and Dec (.) rejects C . The adversary A can 2 Knap 2 Knap 2 2 * m take C2= C 2 + ∑i=1 a i where m≤ l , but the optimum choice for modifying C2 such that it becomes a legitimate cryptogram is that A a (,a a ,… , a ) C= C* + a the adversary 2 randomly chooses i from public weight 1 2 l and constructs 2 2 i and then queries corresponding message from the simulator. If C* = l a. x includes a , then cryptogram C is not a legitimate cryptogram 2 ∑i=1 i i i 2 and Dec (.) rejects the ciphertext C . If C* = l a. x does not includes a , then C= C* + a is a legitimate ciphertext and Knap 2 2 ∑i=1 i i i 2 2 i

Dec (C ) Xxxxx=( =* ,= * ,,… x =1 ,... , x = x * ) X≠ X * * y= C +( h * + 1) Knap 2 outputs 1 12 2 i l l . In this case, we have , h= h + 1and 1 . y length s=(Len(BCD ( Ch ++− (* 1 )) nlh ) / ( −+≠ ( * 1 ))  s * So, the simulator cannot correctly compute and RFB blocks  1  . Furthermore, since X≠ X * , position of the message (and RFB ) blocks are not explicit. Thus, it cannot correctly remove RFB A blocks from encoded message m' and so, probability of success for 2 in this game is negligible and we have ε(k )≤ AdvKnap ( k ) . A2 ,RECOVER( m b )

Game 3 . Define Game 3 as identical with Game 2, except that h= h * .

Lemma 3: There exists an efficient adversary A3 such that Knap Pr[S3 ]− Pr[ S 2 ] ≤ Adv ( k ) (3) A3 ,RECOVER( m b ) By the assumption that the Knapsack problem is intractable, we have that AdvKnap (k ) is negligible. A3,RECOVER( m b )

Proof: Suppose ε(k )= Pr[ S ] − Pr[ S ] . We can build an adversary A that aims to recover m from Game 3. In this Game, the 3 2 3 b * * * * * * *  simulator run on input (C1= CC 12 , ≠ C 2 ), hh = and unlike Game 2, it can recover yC=1 + h = y , s= s and v=  n/ h  . Since * the knapsack problem is intractable, the adversary A3 cannot recover random binary vector X from C2≠ C 2 . Furthermore, * * since C2≠ C 2 , thus X≠ X and so, the position of the message (and RFB ) blocks are not explicit. Thus, the simulator cannot Knap correctly remove RFB block from encoded message m' and extract message mb . By definition of Adv (k ) , we A3,RECOVER( m b ) have ε(k )≤ AdvKnap ( k ) . A3 ,RECOVER( m b )

We claim that

Pr[S ]− Pr[ S ] ≤ ε ( k ) 3 1 under the assumption that the Knapsack problem is intractable. We proof this in the below lemma.

Lemma 4: There exists an efficient adversary A4 such that

Knap Pr[S3 ]− Pr[ S 1 ] ≤ Adv ( k ) . (4) A4 ,RECOVER( m b ) By the assumption that the Knapsack problem is intractable, we have that AdvKnap (k ) is negligible. A4 ,RECOVER( m b )

* Proof: Game 3 is identical with Game 1, except that C1= C 1 . Let ε(k )= Pr[ S3 ] − Pr[ S 1 ] . We can build adversary A4 such * * * * * *  * that it queries on input (C1= CC 1 , 2 ), hh = . In this case, simulator computes yC=1 + h = y , s= s and v= nh/  = v . Since * * C2≠ C 2 , thus X≠ X , and as we see in lemma2, the adversary A4 cannot recover mb correctly. Thus, the adversary A4 ’s advantage is exactly equal to ε(k ) . By definition of AdvKnap (k ) , we have ε(k )≤ AdvKnap ( k ) . A4 ,RECOVER( m b ) A4 ,RECOVER( m b )

* Game 4. Define Game 4 as identical with Game 0, except that C2= C 2 .

Lemma 5: There exists an efficient adversary A5 such that

Pr[S ]− Pr[ S ] ≤ AdvA ( k ) (5) 4 0 5 ,RECOVER( m b ) Proof : Suppose ε(k )= Pr[ S ] − Pr[ S ] . Consider adversary A that aims to recover m from Game 4. The adversary A 4 0 5 b 5 * * * queries on input (C1≠ CC 12 , = C 2 ) . In this case since X= X , thus, the position of the message (and RFB ) blocks are quite y= C + h * C≠ C * y≠ y * s=(Len(BCD ( Chnlhs +−−≠* )) ) / ( * )  * clear. We have 1 and Since 1 1 , thus and 1  . If s is not an integer, then simulator rejects the ciphertext. Moreover, since the length of RFB blocks is not clear, s≠ s * , thus the simulator cannot correctly remove them from m' and so, it cannot correctly extract mb . Thus the A5 ’s advantage of this algorithm is exactly equal to ε(k ) and we have ε(k )≤ Adv ( k ) . A5 ,RECOVER(mb )

Lemma 5: There exists an efficient adversary A6 such that

Pr[S ]=1 / 2 (6) 4 Proof: We construct an adversary A that hopes to recover m from Game 4 which runs on input (C≠ CC* , = C * ) . The 5 b 1 12 2 * * * *  * simulator take as input C2= C 2 and compute X= X , h= h and v= nh/  = v , thus, the position of the message (and RFB ) blocks and the length of message blocks v are quite clear. For correctly extract m from y= C + h * , the simulator must b 1 * know the exact value of C1 . In CCA2 scenario, the adversary cannot query challenge ciphertext to the simulator, thus, A5 * cannot take C1= C 1 . Hence, the advantage of the adversaryA5 for recovering mb is equal to zero and by definition we have Pr[S4 ]=1 / 2 . Completing the Proof: We have

Pr[S0 ] ≤−+−+−+−+−+ Pr[ SSSSSSSSSSS 10204032314 ] Pr[ ] Pr[ ] Pr[ ] Pr[ ] Pr[ ] Pr[ ] Pr[ ] Pr[ ] Pr [ ] Pr[ ] From equations 1-6 we have: Knap Knap Knap Knap Pr[S0 ]−≤ 1 / 2 AdvA ( kk ) + Adv A ( ) + Adv A ( k ) + Adv A ( k ) + AdvA ,RECOVER( m ) ( k ) 1,m,mRECOVER(b ) 2 RECOVER( b ) 3,mRECOVER( b ) 4 ,m RECOVER( b ) 5 b By assumption, the right-hand side of the above equation is negligible, which finishes the proof. From lemma 1-4, the CCA2 security of the proposed scheme in the standard model reduced to the assumption that the knapsack problem is intractable. Since the knapsack problem is resistant against solution by the quantum computers, the proposed scheme is post-quantum CCA2-secure. B. Performance Analysis The performance-related issues can be discussed with respect to the computational complexity of key generation, key sizes, encryption and decryption speed. The proposed cryptosystem features fast encryption and decryption. The encryption only carries out O(1) multiplication, O(l) additions, and some permutation and data padding. The decryption just performs O(1) division, a knapsack decryption“Decknap (.) ” which depending on the knapsack cryptosystem is usually quick and, some bit operations for removing RFB blocks from encoded message in order to extract the original message. Compare to other CCA2-secure post-quantum schemes as mentioned in section one, our scheme is very simple and more efficient.

III. GENERALIZED SCHEME In this section, we introduce a general form of the propose scheme, which can be apply to any (post-quantum) trapdoor one-way n function. Suppose that F be a (post-quantum) trapdoor one-way function generator. On input 1 , the generator Gen runs n −1 F (1 ) to obtain (f , f ,td) which are the system parameters. A. Encryption To encrypt message m ∈ {0 , 1 } n , the sender do the following steps: • Choose random binary vector X= (, xx ,… ,) x with hamming weight h= ∑n x . Execute algorithm1 for generate 1 2 l i=1 i ''' ' encoded message mdd= (1 2 ... d l ) from message m . • Suppose y be the decimal representation of m' . Compute: C y. h 1 = , C2 = f( X ) and send ciphertext C= ( C1 , C 2 ) to the receiver. B. Decryption algorithm

Receiver after receiving C= ( C1 , C 2 ) , performs the following steps for extract message m : X= (, xx ,… ,) x X= f−1( C ,td) h= ∑l x v n h  • Compute random binary vector 1 2 l as 2 , i=1 i and = /  .

• Compute y= C1 / h . • Suppose m' is the binary coded decimal (BCD) of y . Computes s=(Len( m' ) − n ) / ( l − h )  and reject the ciphertext

C= ( C1 , C 2 ) if s is not an integers.

• Execute algorim2 for recover message blocks di , 1≤ i ≤ h .

IV. CONCLUSION In this work, a new approach for constructing CCA2-secure post-quantum cryptosystem based on the computational knapsack problem is introduced. This scheme utilizes randomized encoding algorithm, and with the assistance of the knapsack problem, performs a random permutation and pads some RFB blocks to the messages bits. By this encoding, we showed that a successful post-quantum CCA2 attack against the proposed scheme implies a solution to the knapsack problem. The knapsack problem is NP-hard and it is difficult to solve using quantum computers. So, the proposed scheme is post-quantum CCA2- secure. CCA2-security of all the proposed post-quantum cryptosystem (whether lattice-based or code-based) were introduced today, is based on the security of strongly unforgeable one-time signature schemes (or MACs). The drawback of these schemes is that one key-pair consisting of a secret signature key and a public verification key can only be used to sign and verify a single document and this is inadequate for most applications. Moreover these schemes require two expensive calculations. Compare to another approach were introduced in this criteria, our scheme is simple and more efficient.

REFERENCES [1] S. Agrawal, D. Boneh, and X. Boyen ,” Efficient Lattice (H) IBE in the Standard Model,” In EUROCRYPT’ 2010 , pp.553-572, 2010. [2] S. Agrawal, D. Boneh, and X. Boyen, “Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE,” In CRYPTO’ 2010, pp. 98-115, 2010. [3] M. Bellare, E. Kiltz, C. Peikert and B. Waters, “Identity-Based (Lossy) Trapdoor Functions and Applications,” In EUROCRYPT ‘2012, LNCS, Vol. 7237 , pp 228-245, 2012. [4] M. Bellare, and A. Palacio, “Towards plaintext-aware public-key encryption without random oracles,” In ASIACRYPT’ 2004, LNCS, Vol. 3329 , pp. 48–62, 2004. [5] M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the First ACM CCCS , pp. 62-73, 1993. [6] D. J. Bernstein, J. Buchmann and Erik Dahmen, (Editors), Post-Quantum Cryptography . Springer press, 2009. [7] T. A. Berson,” Failure of the McEliece public-key cryptosystem under message-resend and related-message attack,” In CRYPTO '97, LNCS, Vol. 1294 , pp 213-220 , 1997. [8] D. Boneh, R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from identity-based encryption. SIAM Journal of Computing, Vol. 36(5 ), pp. 1301- 1328, 2007. [9] X. Boyen, Q. Mei, and B. Waters, “Direct chosen ciphertext security from identity-based techniques,” In ACM CCS 05, pp. 320-329, 2005. [10] R. Canetti, O. Goldreich, and S. Halvei. The random oracle model, revisited,” In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing , pages 209–218, 1998. [11] R. Canetti, S. Halevi, and J Katz, “Chosen-Ciphertext Security from Identity-Based Encryption,” Adv. in Cryptology, Eurocrypt 2004, vol. 3027 , pp. 207-222, 2004. [12] D. Cash, E. Kiltz, and V. Shoup , “ The Twin Diffie-Hellman problem and applications,” In EUROCRYPT’2008, LNCS, pp127-, 2008. [13] P. L. Cayrel, G. Hoffmann, E. Persichetti ,” Efficient Implementation of a CCA2-Secure Variant of McEliece Using Generalized Srivastava Codes,” In Public Key Cryptography, PKC 2012, LNCS, Vol. 7293, pp 138-155, 2012. [14] M. J. Coster, B. A. LaMacchia, A. M. Odlyzko and C. P. Schnorr, “An improved low-density subset sum algorithm,” in Advances in Cryptology ”, EUROCRYPT’91, LNCS, vol. 547 , pp. 54–67, 1991. [15] R. Cramer and V. Shoup, “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack,” SIAM Journal on Computing, Vol. 33(1), pp.167-226, 2003. [16] R. Cramer and V. Shoup, “Universal hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption,” In Eurocrypt’ 2002, LNCS, Vol. 2332 , pp. 45-64, 2002. [17] A. W. Dent,”A Brief History of Provably-Secure Public-Key Encryption,” In AFRICACRYPT’ 2008, LNCS, Vol. 5023, pp. 357-370. [18] W. Diffie, and M. Hellman,” New directions in cryptography”, IEEE, Transactions on Information Theory, Vol. 22(6) , pp. 644 – 654.

[19] D. Dolev, C. Dwork, and M . Naor , “ Non-Malleable Cryptography,” 23rd Annual Symposium on the Theory of Computing (STOC), pp. 542–552, 1991. [20] N. Döttling, R. Dowsley, J. M. Quade and A. C. A. Nascimento,” A CCA2 Secure Variant of the McEliece Cryptosystem,” IEEE, Transactions on Information Theory, Vol. 58(10), pp.6672-6680, 2012. [21] J. Herzog, M. Liskov, and S. Micali, “Plaintext awareness via key registration,” In CRYPTO’ 2003, LNCS, Vol. 2729, pp.548–564, 2003. [22] J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: a ring based public key cryptosystem,” In Proceedings of ANTS-III, LNCS, Vol. 1423 , pp. 267–288, 1998. [23] O. Izmerly and T. Mor,”Chosen ciphertext attacks on lattice-based public key encryption and modern (non-quantum) cryptography in a quantum Environment,” Theoretical Computer Science, Vol. 367 , pp. 308 – 323, 2006. [24] E. Kiltz,” Chosen-ciphertext security from tag-based encryption,” In TCC 2006, LNCS, Vol. 3876 , pp.581-600, 2006. [25] E. Kiltz, P. Mohassel, and A. O'Neill,” Adaptive Trapdoor Functions and Chosen-Ciphertext Security,” In EUROCRYPT’ 2010, LNCS, Vol. 6110 , pp.673-692, 2010. [26] K. Kobara and H. Imai, “Semantically Secure McEliece Public-Key Cryptosystems Conversions for McEliece PKC,” In Public Key Cryptography, PKC 2001, LNCS, Vol. 1992, pp. 19–35, 2001. [27] R. McEliece, “A public-key cryptosystem based on algebraic number theory,” Technical report, Jet Propulsion Laboratory. DSN Progress Report 42-44, 1978. [28] Q. Mei, B. Li, X. Lu, and D. Jia, “Chosen Ciphertext Secure Encryption under Factoring Assumption Revisited,” In Public Key Cryptography, PKC 2011, LNCS, Vol.6571 , pp. 210–227, 2011. [29] R. Merkle and M. E. Hellman, “Hiding information and signatures in trapdoor knapsack”, IEEE, Transactions on Information Theory, Vol. 24 , pp. 525–530, Sept 1978. [30] A. Menezes, P. van Oorschot and S. Vanstone, Handbook of Applied Cryptography . CRC Press, 1997. [31] D. Micciancio and C. Peikert,” Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller,” In EUROCRYPT’ 2012, LNCS, Vol. 7237 , pp 700-718, 2012. [32] M. B. Moret. The Theory of Computation . Addison-Wesley, 1997. [33] M. Naor, and M. Yung , “ Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks ,” in 22nd Annual ACM Symp. on Theory of Computing, pp. 427–437, 1990. [34] R. Nojima, H. Imai, K. Kobara, K. Morozov, “Semantic Security for the McEliece Cryptosystem without Random Oracles,” Designs, Codes and Cryptography. Vol. 49, No. 1-3, pp. 289–305, 2008. [35] C. Peikert and B. Waters. “Lossy trapdoor functions and their applications”. In STOC2008, pp. 187–196, 2008. [36] C. Peikert,”Public-key cryptosystems from the worst-case shortest vector problem,” In STOC 2009, pp. 333-342, 2009. [37] C. Rackoff and D. Simon, “Noninteractive Zero-knowledge Proof of Knowledge and Chosen Ciphertext Attack,” In CRYPTO ’91 , LNCS, Vol. 576, pp. 433– 444, 1992. [38] R. Rastaghi and H. R. Dalili Oskouei, “Cryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm,” IJCSI, International Journal of Computer Science Issues, Vol. 9(5), No 1 , pp. 110-117, Sep. 2012. [39] M. Rückert, “Adaptively secure identity-based identification from lattices without random oracles,” 7th international conference on Security and cryptography for networks, pp. 345-362, 2010. [40] A. Rosen and G. Segev, “Chosen-Ciphertext Security via Correlated Products,” In TCC 2009, LNCS, Vol. 5444 , pp. 419–436, 2009. [41] A. Shamir, “A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem,” IEEE, Transactions on Information Theory, Vol.30 , pp.699- 704, 1984. [42] W. P. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal of Computing, Vol. 26, pp. 1484-1509, 1997. [43] R. Steinfeld, S. Ling, J. Pieprzyk, C. Tartary, H. Wang, “NTRUCCA: How to Strengthen NTRUEncrypt to Chosen-Ciphertext Security in the Standard Model,” In Public Key Cryptography, PKC 2012, LNCS, Vol. 7293 , pp 353-371, 2012.