WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

Post-Quantum Network Security: McEliece and Niederreiter Analysis and Education Issues

ALEKSEI VAMBOL1, VYACHESLAV KHARCHENKO1, OLEXANDR POTII1, NIKOS BARDIS2 1 Department of Computer Systems and Networks National Aerospace University «KhAI», Kharkiv, Ukraine 2 Department of Mathematics and Engineering Sciences Hellenic Army Academy Athens, 19400, Greece

[email protected]; [email protected]; [email protected]; [email protected]

Abstract —The paper is aimed at analyzing of the classical McEliece and Niederreiter cryptosystems as well as the Quasi-Cyclic MDPC McEliece cipher in a context of the post-quantum network security. Theoretical foundations of the aforesaid cryptographic schemes are considered. The characteristics of the given cryptosystems and other asymmetric schemes are analyzed. The cipher metrics, which are considered in the paper, include cryptographic strength, performance, public size and length of . The binary Goppa codes are described in the context of their role for the cryptanalytic resistance of the classic McEliece and Niederreiter schemes. The crucial advantages and drawbacks of the aforementioned cryptosystems are analyzed. The prospects for application of these ciphers to the network security protocols are outlined. The investigations, which are aimed at finding ways to reduce the public key sizes and improve the energy efficiency of the given ciphers, are briefly described. A new educational module “Introduction to Post-Quantum ” is presented.

Keywords—McEliece , Niederreiter cryptosystem, Quasi-Cyclic MDPC McEliece cryptosystem, . post- Received: August 30, 2020. Revised: November 13, 2020, Accepted: November 16, 2020. Published: November 19, 2020 .

1. Introduction quantum era. Representative schemes of this class are Public key cryptographic algorithms are one of the the McEliece and Niederreiter cryptographic fundamental tools for providing secure data storage algorithms that are developed based on the binary and communication for users and systems. Their Goppa codes. The further development of the principal advantage arises from their ability to McEliece and Niederreiter algorithms is therefore provide a solution to the problem of sharing highly relevant in the context of the advancement of symmetric keys between distant users communicating post – quantum cryptography [1, 2]. over insecure channels. The aim of this paper is to present an analysis of The current technological advances in the field of the McEliece and Niederreiter schemes focusing on quantum computers make quantum the underlying theory, foundations and a comparative feasible. This fact in turn, renders most contemporary study between these two and other asymmetric Public Key Cryptosystems such as the RSA and El- cryptographic algorithms. The comparison is based on Gamal algorithms susceptible to quantum suitable metrics of cipher quality such as cryptanalysis attacks. cryptographic strength, computational complexity, Post-quantum cryptography therefore, requires the public and ciphertext length. development for a variety of innovative cryptographic The given work analyzes both the classical algorithms that are resilient to attacks using quantum versions of the aforementioned code-based computers [1, 2]. cryptosystems and the Quasi-Cyclic MDPC McEliece Code based cryptography is a class of Public Key cipher developed in order to reduce public key sizes. Cryptosystems that are viewed by many researchers The analysis focuses especially on the operation of as suitable for achieving good results in the post – the binary Goppa codes and their contribution

E-ISSN: 2224-2856 627 Volume 15, 2020 WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

towards the cryptanalytic resilience of the classical 3) A random vector z of weight t and dimension n McEliece and Niederreiter schemes [2]. Besides, an is chosen at random. educational module “Introduction to Post-Quantum 4) The ciphertext c is calculated as c=v+z. Cryptography”, which has been developed by authors The corresponding decryption algorithm consists of paper, is briefly discussed. of the following steps [4]: The paper is organized as folows. The features of 1) The vector u = c•P -1 of lentgh n is first the classical McEliece and Niederreiter schemes are computed. analyzed in Sections II and III. In Section IV an 2) The vector d which is the result of decoding the analysis of the binary Goppa codes. The comparison vector u with the code C is hence obtained. between the features of these two cryptographic 3) The vector m′ = d • S-1 of the decrypted algorithms is given in Section V. An analysis of the message is formulated. the Quasi-Cyclic MDPC McEliece cipher is presented The proof of the correctness of this cipher is given in Section VI. The aforementioned educational below: module is presented in Section VII. Section VIII 1) The value of the vector u is calculated as u = c • includes a summary of the advantages and P-1 = (m • E + z) • P-1 = m • S • G + z • P-1. Given that weaknesses of the investigated cryptographic G is a generator matrix of the C, the algorithms, as well as principles for the utilization of vector m • S • G is a valid word of the code С. these cryptosystems in network security protocols. Because of the fact that P is a permutation matrix, it Additionally, a description is given of current follows that z • P-1 is of weight t. It may therefore be research efforts aiming at finding ways to reduce the deduced that the vector u, that is the result of the public key sizes and improve the energy efficiency of encoding of the message m • S, is a is essence a these cryptographic schemes. distortion of t symbols in a word of code С, 2) Accordingly, d, the decoded version of the vector u with the code С, is equal to m • S because of 2 Features of Cryptosystems the fact that code С is capable of correcting at least t 2.1 The McEliece cipher errors. The first probabilistic cipher was developed by 3) The decryption process d • S-1 = m • S • S-1 = m Robert McEliece in 1978 [3]. The algorithm is based hence recovers the decrypted message vector m′. on binary linear codes and linear algebra over GF(2). The key pair generation includes the following 2.2 The Niederreiter cipher actions [3]: Contrary to the McEliece algorithm, the 1) A binary linear (n, k)-code С with k × n cryptographic algorithm proposed by Harald generator matrix G is chosen at random. The code Niederreiter is deterministic, with the corresponding should be suitable for correcting at least t errors and encryption process being faster. The algorithm is the corresponding decoder should be efficient. suitable for applications [5], but the 2) An n × n random permutation matrix P and a computational effort required for signature generation nonsingular k × k matrix S are also randomly is larger compared to other quantum safe algorithms generated. [1]. Similarly to the McEliece cipher, this cipher also 3) The matrix E = S • G • P of size k × n is also employs linear algebra over GF(2) and binary linear generated. codes. 4) The tuples (E, t) and (S, G, P), corresponding to The key pairs are obtained using the following the public and private respectively are hence created. algorithm [4]: Consequently, the encryption algorithm is 1) A binary linear (n, k)-code С is randomly completed as follows [4]: chosen, together with a parity check matrix H of size (n – k) × n. The code should be such that it has an 1) The message is represented as a k-dimensional efficient decoding algorithm and should be capable of vector m. correcting at least t errors. 2) The vector v = m • E is calculated.

E-ISSN: 2224-2856 628 Volume 15, 2020 WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

2) A random nonsingular (n – k) × (n – k) matrix S Vector representation over GF(2) is used for the and a random n × n permutation matrix P are also codewords: generated. c = (c1, ..., cn) 3) The (n – k) × n matrix E = S • H • P is hence satisfying the condition [6]: calculated. n ci 4) The public and respective private keys are ∑ ≡ 0 mod g(x) x - Li hence obtained as (E, t) and (S, H, P). i=1 Binary Goppa codes possess a series of properties For encryption of a message, the algorithm has as rendering them particularly relevant in the context of follows [4]: error correcting coding: 1) The initial message is represented as an n- • dimensional vector m with a maximum weight of t. The decoding algorithms corresponding to these codes are efficient with complexity 2) The ciphertext is obtained using the equation 2 с = E • mT. O(n ) [7]. • The corresponding decryption algorithm has as Members of this class of codes possess follows [3]: properties considered highly advantageous 1) The (n – k)-dimensional vector u is calculated: compared to other linear codes [8]. u = S-1 • c. • The class of codes is a generalized version of 2) The variable d is obtained as the transpose of the BCH codes [4]. the error vector corresponding to the syndrome u by Binary Goppa codes provide an important element applying the error correction of the code C. in strengthening the cryptographic resilience of the 3) The message vector is recovered by equation McEliece and Niederreiter ciphers. m′ = (P-1 • d)T. Cryptanalysis of the above ciphers involves The proof of correctness of the cipher is hence decoding an arbitrary public linear code obtained by a derived: random transformation of a rapidly decodable private 1. Vector u is equal to: one, a problem which is shown to be an NP-complete S-1•c=S-1•E•mT=H • P • mT. problem [4]. Given that P is a permutation matrix, the column There do not exist efficient algorithms allowing a vector P • mT has a weight less than or equal to t. It is distinction between binary Goppa codes and binary shown that u is the syndrome of the error vector (P • random codes [9]. The number of non – equivalent mT)T with maximum weight t, given that H is a parity binary Goppa codes increases exponentially as their check matrix of the linear code C length and dimension becomes larger [10]. 2) Since the code С is capable of correcting at Consequently, it can be deduced that the recovery least t errors, then vector d, the transposed error of a hidden code and a reduction of the subsequent vector corresponding to the syndrome u in the error stage in the cryptanalysis of the McEliece and correction procedure of the code C, is equal to P • mT. Niederreiter ciphers for effective decoding of the 3) The recovered message m′ is derived using restored code cannot be achieved in polynomial time equation: [4]. (P-1•d)T= (P-1 • P • mT)T = m. 2.4 Comparison between the McEliece and 2.3 Binary Goppa codes Niederreiter cryptographic algorithms Valery Goppa proposed a class of linear block error The ciphers under study possess the following correction codes in 1969. Each code is specified by a properties: separable polynomial g(x) of degree t over GF(2m) • Quantum resistance, a feature that does not and a sequence L of n distinct elements of this field, exist in widely used asymmetric algorithms, which are not the roots of g(x). Properties of the codes such as RSA and ElGamal schemes [1, 2]. include [5]: • Smaller encryption and decryption • Length of codeword n ≤ 2m. computational complexity compared with • Distance of code d ≥ 2t + 1. RSA. The quantum safe schemes under study • k ≥ n – mt information symbols.

E-ISSN: 2224-2856 629 Volume 15, 2020 WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

have a computational complexity of O(n2), has been multiplied from the right by a suitable while RSA has correspondingly O(n3) [3]. column permutation matrix [17]. • The computational complexity of the key However, another definition of quasi-cyclic codes generation for the quantum safe, code-based was given, where they were described as codes, ciphers under study is O(n3) [11]. The whose words consist of s successive blocks of the corresponding complexity for the generation same length in a way that application of simultaneous of the RSA key pair is of O(n4) [12]. circular shift to each of this blocks results in another • Increases in the size of the cryptographic codeword. The codes, which are used in the scheme result in significantly smaller aforementioned cryptosystem, are quasi-cyclic increases in the computational complexity in according to this definition [18]. In the rest of this comparison with RSA. The complexity for n- paper the term “quasi-cyclic codes” is used in this bit encryption and decryption schemes are of sense. orders O(n2) for the considered quantum safe There are several advantages of quasi-cyclic codes ciphers and O(n6) for RSA [1]. which determine their usage in the given • The key size required to achieve n-bit cryptographic scheme. Both generator and parity- cryptographic strength is O(n2 log2 n) for the check matrices of these codes can be represented as quantum-resistant ciphers and O(n3 / log2 n) arrays of circulants, and a circulant can be completely for RSA [13]. described by its first row. The given properties make The McEliece and Niederreiter cryptographic possible a storage of the aforementioned matrices in a algorithms have the following disadvantages: compact representation. There is an isomorphism n • The public keys of the McEliece and between the ring of polynomials modulo x - 1 and the Niederreiter ciphers must be of sizes of 429.5 ring of n × n circulants over GF(2), in which every KB and 69.2 KB respectively, so as to be element of the first algebraic structure corresponds to equally secure to the RSA-2048 with 0.5 KB the circulant, whose first row is represented by a public keys [14]. sequence of coefficients of the preimage polynomial. • The RSA present no ciphertext expansion. The These circumstances make possible efficient ciphertext produced is on average expanded by computations, where polynomials are used in 1.6 times longer compared to the plain text for operations instead of matrices [16]. the McEliece scheme [3]. For the case of the Low-density parity-check (LDPC) codes are the Niederreiter cipher, this figure is different than class of linear block codes, whose rows have constant in case of the McEliece cryptosystem, small Hamming weight, which is usually less than 10. depending on the parameters of the underlying These codes have been proposed by Robert Gallager code, but still greater than one [14]. in [19]. Moderate-density parity-check (MDPC) codes differ from LDPC ones only in a larger weight of 0.5 0.5 3 The Quasi-Cyclic MDPC McEliece rows, which is O(n log n), where n is length of a codeword [16]. cryptosystem The procedure of construction of a binary quasi- The problem of large public keys is the most cyclic (n, n - r)-MDPC code, where rows of a parity- significant one for code-based cryptographic schemes. check matrix H have weight w and n = rc, consists of Several proposals have been made to overcome this the following steps [16]: drawback, among which the most notable one is the 1) Random generation of n-dimensional binary McEliece cryptosystem based on the quasi-cyclic vector h of weight w. This vector defines H and can moderate-density parity-check codes [15]. This be represented as the sequence of r-dimensional encryption scheme was proposed in [16]. binary vectors d0, d1, ..., dc-1 of weights w0, w1, ..., wc-1. According to the most widespread definition, the 2) Forming of H as [H0|H1|... |Hc-1], where Hi is code is quasi-cyclic if there is such integer s that a r × r circulant, whose first row is equal to di. Each cyclic shift of any codeword by s positions produces circulant Hi has row weight wi and j-th row of H is a another word of this code. A generator matrix of this sequence of j-th rows of circulants H0, H1, ..., Hc-1, code can be represented as array of circulants, which thus all rows of H are of weight w.

E-ISSN: 2224-2856 630 Volume 15, 2020 WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

3) Assuming Hc-1 is non-singular, a generator Specificity of the aforementioned MDPC-oriented matrix G in row reduced echelon form is obtained as variant of this algorithm lies in the approach for [I|Q], where I is (n - r) × (n - r) identity matrix and Q choice of b, where this parameter is recomputed at is a column of r × r matrices Q0, Q1,..., Qc-2, where each iteration between forming of e and bits inverting -1 T Qi=((Hc-1) •Hi) . in m. A new value of b is defined as the largest The results of inversion, product and transposition element of e decreased by a small integer δ. In case of of circulants are also circulants [19]. Thus, Q is a decoding unsuccess, a value of δ is decremented by 1. column vector of circulants, and G can be compactly If updated δ is non-negative, another attempt is made, stored in memory, being represented by array of c - 2 otherwise, failure notification is returned. The binary vectors, which are used for description of purpose of the given approach for definition of a corresponding circulants in Q. parameter b is to achieve maximum error-correcting Encoding of (n - r)-dimensional binary vector can ability for Gallager's bit flipping algorithm, while be implemented as its multiplication from the right by trying to retain a performance as good as possible G, and the result of this operation is n-dimensional [16]. binary vector, whose first n - r elements constitute an Estimation of the error-correction capability of this input sequence. These properties are determined by MDPC-oriented Gallager's algorithm can be G, which is a generator matrix of a systematic linear performed using Gallager's analysis proposed in [19], block code [16]. which has been developed to calculate a threshold for Decoding of MDPC codes can be performed with the amount of errors, that LDPC codes are able to a variant of Gallager's bit flipping algorithm, which is correct. Although the given analysis is less precise for proposed in [16]. Initial version of Gallager's MDPC codes, it makes possible to compute an upper algorithm, which was intended for decoding of LDPC bound for their error-correction capability. Decoding codes, can be described in the following way [19]: failure rate of MDPC codes can be estimated by 1. Computation of a syndrome column vector means of simulation [16]. y = H • mT, were H is a parity-check matrix of the Quasi-Cyclic MDPC McEliece cryptosystem can given (n, n - r)-LDPC code and m is a binary vector of be described as follows. The key pair generation is received message. the aforementioned construction procedure of quasi- 2. If each element of y is equal to 0, algorithm has cyclic (n, n - r)-MDPC code. The public key is succeeded and the plaintext vector, which consists of represented by a pair of systematic generator matrix G the first n - r elements of m, is returned as a result. and error-correction capability t. The private key is 3. If maximum permissible number of iteration is parity-check matrix H. Thus, both of these keys can reached, algorithm has failed to decode m and error by compactly stored in memory. Encryption of binary notification is returned. message vector m lies in its encoding with error 4. Forming of an integer vector e, whose every injection in the obtained codeword. The ciphertext is element ei is equal to amount of such integers obtained by the formula u = m • G + z, where z is a j ∈ [0, r - 1] that j-th row of y and i-th element of random error vector of weight up to t. Decryption of u j-th row of H and are nonzero. is its decoding by the aforesaid MDPC-oriented bit 5. Inversion of elements of m, for which the flipping algorithm [16]. element of e with the same index is greater than some The given cryptosystem has to be used in constant b, and return to the first step. conjunction with CCA-2 security-conversion, for The number of nonzero elements in rows of parity- example, with the one proposed in [21]. In this case, check matrix for LDPC codes is small. Therefore, in a systematicity of generator matrix does not introduce case of moderate number of errors in a received any security-flaw [16]. message most of syndrome elements will be either 1 Encryption into a ciphertext, which cannot be due to impact of only one erroneous digit or 0 owing decrypted in a way mentioned above, is not to absence of corrupted digits influence. Thus, if for impossible due to nonzero probability of a decoding most rows of parity-check matrix with nonzero i-th failure of the aforementioned MDPC-oriented bit element the same row of syndrome is 1, it is likely, flipping algorithm. The given case has to be treated, that i-th digit of received message is corrupted [19]. and several solutions has been proposed for this. Straightforward approach lies in generation of a

E-ISSN: 2224-2856 631 Volume 15, 2020 WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

random error vector of such weight that is sufficiently 4 Case study in education: small to provide a negligible decoding failure rate, which is less than machine failure rate. On-the-fly Introduction to post-quantum solution consists in attempt to decode a ciphertext by cryptography” means of another algorithms with better error- Within the framework of TEMPUS SEREIN project correction capability, but significantly lower an educational module for MSc and PhD students, performance. Resend approach implies a request for a which is called “Introduction to Post Quantum new encryption [16]. Cryptography”, has been developed by authors of the Permutation and scrambling matrices, which play paper. Its structure, which is given in Table 2, an important role in the classical McEliece cipher, are includes both lecture and practical classes with 30 not used in Quasi-Cyclic MDPC McEliece hours total workload. In particular, it contains the cryptosystem, because its public key does not contain sections dedicated to the McEliece and Niederreiter any information helpful for decoding of the cryptosystems. underlying code [16]. The characteristics of the public keys for the given Table 2. Structure of the module “Introduction to cryptosystem are given in Table 1, which was Post-Quantum Cryptography”. compiled using data from [16]. Public keys for this Contact cipher are from 96 to 234 times smaller than for the work classical McEliece scheme with the same [16]. Themes

Table 1. Public key sizes in bits for the Quasi-Cyclic Individualwork

MDPC McEliece cryptosystem. Lectures Seminars Practicums Total 1. Introduction to post-quantum cryptography. 2 4 6 2 Security level 1.1. Quantum computers and their 80 bits 128 bits 256 bits impact on cryptography. 1.2. Post-quantum cryptography concept. 2 times 4801 9857 32771 1.3. Comparison of post-quantum Ciphertext 1.5 times 7186 14866 45062 and classical cryptosystems. expansion 2. Code-base cryptography. 2 4 6 4 1⅓ times 9237 20409 61449 1.1. The McEliece cryptosystem. 1.2. The Niederreiter cryptosystem. Despite the advantages of the aforementioned 3. Multivariate cryptography. 2 4 6 3 cipher, recent researches have led to discovery of an 4. Application of post-quantum cryptography 2 2 1 efficient attack on the given cryptosystem. This in network security protocols. cryptanalytic approach allows to recover a private key Total 8 4 8 20 10 by means of sending a large amount of random The given module requires the following and analyzing the probability of decoding prerequisites: failure for different types of error vectors. The given • Applied Cryptology. reaction attack has been proposed in [22]. • Linear algebra. Nevertheless, it is not considered to be devastating • Theory of Finite Fields. enough to make the Quasi-Cyclic MDPC McEliece • Basics of Computer Networks. cryptosystem useless, and this cipher has a prospect • Basics of Number Theory. of being used securely after slight improvements [23]. 5 Conclusion The McEliece and Niederreiter schemes based on the binary Goppa codes are among the most promising candidates for inclusion into the post-quantum standards of asymmetric cryptosystems.

E-ISSN: 2224-2856 632 Volume 15, 2020 WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

Their main advantages besides the quantum Mathematics and Computers in Sciences and in resistance are high performance and cryptographic Industry (MCSI). IEEE, 2017. strength. The biggest drawback of these ciphers is [3] S. Y. Yan, “Quantum Attacks on Public-Key large key sizes which are the reason of the less Cryptosystems”, Springer, 2013, 214 p. prevalence of the given cryptosystems in comparison [4] E. Jochemsz, “Goppa Codes & the McEliece with RSA and ElGamal schemes. Cryptosystem”, Vrije Universiteit Amsterdam, The aforementioned code-based ciphers can be 2002, 63 p. employed in the asymmetric encryption components [5] R. Lu, X. Lin, X. Liang, X. Shen, “An efficient of the majority of network security protocols as and provably secure public key encryption quantum safe alternative to the currently used scheme based on coding theory”, Security and Communication Networks, 2011, vol. 4, iss. 12, cryptosystems. These protocols, in particular, include pp. 1440-1447. TLS, S/MIME and SSH [1]. [6] V. D. Goppa, “A New Class of Linear Correcting The scientific community is looking for ways to Codes”. Problems of Information Transmission, eliminate the drawbacks of the given ciphers. A 1970, vol. 6, iss. 3, pp. 207-212. variant of the McEliece scheme with the public keys, [7] C. Löndahl, T. Johansson, “A New Version of which are from 96 to 234 times smaller than ones for McEliece PKC Based on Convolutional Codes”, the classical version of this cryptosystem, has been Lecture Notes in Computer Science, 2012, presented in [16]. In the given approach the McEliece vol. 7618, pp. 461-470. cipher is constructed on the basis of quasi-cyclic [8] M. Loeloeian, J. Conan, “A [55,16,19] binary moderate density parity-check codes. Although this Goppa code”, IEEE Transactions on Information variant of the McEliece cryptosystem is vulnerable to Theory, 1984, vol. 30, iss. 5, p. 773. recently discovered new reaction attack on it, there is [9] T. P. Berger, P.-L. Cayrel, P. Gaborit, A. Otmani, a prospect of secure use of this cipher after slight “Reducing Key Length of the McEliece improvements. Cryptosystem”, Lecture Notes in Computer Elliptic shortened codes are used in McEliece Science, 2009, vol. 5580, pp. 77-97. cryptosystem [24] for increasing encryption and [10] P. Fitzpatrick, J. A. Ryan, “Enumeration of decryption procedures by reducing of the key length. inequivalent irreducible Goppa codes”, Discrete Applied Mathematics, 2006, vol. 154, iss. 2, ACKNOWLEDGMENT pp. 399-412. [11] M. Kratochvíl, “Implementation of cryptosystem The authors thank for advising Associate Professor based on error-correcting code”, Charles I. N. Shulga. Besides, we thanks to TEMPUS- University in Prague, 2013, 60 p. SEREIN project (http://serein.eu.org/) team and [12] P. Fahn, “Answers to Frequently Asked colleagues from the Computer Systems and Networks Questions about Today's Cryptography”, RSA Department of National Aerospace University KhAI Laboratories, 1996, 204 p. and other participants of CriCTechS seminar for [13] D. J. Bernstein, J. Buchmann, E. Dahmen, “Post- discussion of the presented results. Quantum Cryptography”, Springer, 2009, 246 p. [14] I. Woungang, S. Misra, S. C. Misra, “Selected Topics in Information and Coding Theory”, References World Scientific, 2010, 724 p. [1] ETSI White Paper No. 8. “Quantum Safe [15] “ETSI GR QSC 001: Quantum-Safe Cryptography and Security”, European Cryptography (QSC); Quantum-safe algorithmic Telecommunications Standards Institute”, 2015, framework”, European Telecommunications 49 p. Standards Institute, 2016, 42 p. [2] Vambol, Aleksei, et al. "McEliece and [16] R. Misoczki, J.-P. Tillich, N. Sendrier, P. S. L. Niederreiter Cryptosystems Analysis in the M. Barreto, “MDPC-McEliece: New McEliece Context of Post-Quantum Network Security." variants from Moderate Density Parity-Check 2017 Fourth International Conference on codes”, IEEE International Symposium on

E-ISSN: 2224-2856 633 Volume 15, 2020 WSEAS TRANSACTIONS on SYSTEMS and CONTROL Aleksei Vambol, DOI: 10.37394/23203.2020.15.62 Vyacheslav Kharchenko, Olexandr Potii, Nikos Bardis

Information Theory (ISIT-2013), 2013, pp. 2069- Creative Commons Attribution License 4.0 2073. (Attribution 4.0 International, CC BY 4.0) [17] R. Daskalov, P. Hristov, “New one-generator quasi-cyclic codes over GF(7)”, Problems of This article is published under the terms of the Creative Information Transmission, 2002, vol. 38, iss. 1, Commons Attribution License 4.0 pp. 50-54. https://creativecommons.org/licenses/by/4.0/deed.en_US [18] C. Aguilar, O. Blazy, J.-C. Deneuville, P. Gaborit, G. Zemor, “Efficient Encryption from Random Quasi-Cyclic Codes”, CoRR abs/1612.05572, 2016, 28 p. [19] R. G. Gallager, “Low-Density Parity-Check Codes”, M.I.T. Press, 1963, 90 p. [20] H. Crapo, D. Senato, “Algebraic Combinatorics and Computer Science: A Tribute to Gian-Carlo Rota”, Springer Science & Business Media, 2001, 546 p. [21] K. Kobara, H. Imai, “Semantically secure McEliece public-key cryptosystems - conversions for McEliece PKC”, PKC 2001: Public Key Cryptography, 2001, vol. 1992, pp. 19-35. [22] Q. Guo, T. Johansson, P. Stankovski, “A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors”, Lecture Notes in Computer Science, 2016, vol. 10031, pp. 789- 815. [23] M. Kindberg, “A usability study of post-quantum algorithms”, Lunds universitet, 2017, 68 p. [24] S. Yevseiev, K. Rzayev, O. Korol, Z. Imanova, “Development of McEliece modified asymmetric crypto-code system on elliptic truncated codes”, Eastern-European Journal of Enterprise Technologies, 2016, vol. 4, iss. 9 (82), pp. 18-26.

E-ISSN: 2224-2856 634 Volume 15, 2020