Code-based Post-Quantum Cryptography

Cryptography has been used from time immemorial for preserving the confidentiality of 1 data/information in storage or in transit. Thus, cryptography research has also been evolving from 2 the classical Caesar cipher to the modern cryptosystems based on modular arithmetic to the con3 temporary cryptosystems based on quantum computing. The emergence of quantum computing 4 imposes a major threat on the modern cryptosystems based on modular arithmetic whereby, even 5 the computationally hard problems which constitute for the strength of the modular arithmetic 6 ciphers could be solved in deterministic time. This threat triggered post-quantum cryptography 7 research in order to design and develop post-quantum algorithms that can withstand quantum 8 computing attacks. This paper provides a review of the various post-quantum cryptography and, 9 in specific, code-based cryptography research dimensions. The research directions that are yet to 10 be explored in code-based cryptography research is another key contribution of this paper. 11


Introduction
Cryptographic systems are built upon complex mathematical problems such as 15 integer factorization and computing discrete logarithms [1] [2], which can only be 16 solved if knowledge of some secret data is available; typically a very large number. 17 Without these numbers, it is impossible to reverse-engineer encrypted data or create a 18 fraudulent digital signature. These numbers are what we know as cryptographic keys. 19 For instance, the RSA algorithm [3] works by using pairs of very large prime numbers to 20 generate public and private keys. The public key can be used to create a mathematical 21 challenge that can only be solved by someone who holds the private key. Attempting 22 to guess the answer, by way of a brute-force search, would take thousands of years 23 using contemporary computers. Unlike their classical counterparts, quantum computers 24 will be able to solve these mathematical problems incredibly quickly. The asymmetric 25 algorithms we use today for digital signatures and key exchange will no longer be strong 26 enough to keep data secret once a sufficiently powerful quantum computer can be built. 27 This means that core cryptographic technologies that we have to rely on, RSA and 28 elliptic curve cryptography, will become insecure. By contrast, symmetric algorithms 29 and hash functions are only partially affected by quantum computers -the best quantum 30 algorithms are about twice as fast as their classical counterparts, so key lengths and hash 31 sizes will need to double. But we can still continue to use the same families of symmetric 32 algorithms (such as AES) without concern. 33 This context alludes to the fact that asymmetric algorithms which are in widespread 34 use today can succumb to quantum attacks and hence, quantum attack resistant or in 35 other words post-quantum cryptographic algorithms need to be evolved. 36 In 1996, Grover proposed an O( √ N)-time quantum algorithm for functions with 88 N-bit domains [16]. This quantum algorithm once realized on quantum computers can 89 be used for breaking symmetric key cryptosystems, and to defend against attacks based 90 on Grover's algorithm, we need to double the key sizes in order to achieve the similar 91 level of security against conventional computers. 92 For example, for 128-bit symmetric key security, we need to use symmetric key cryp- 93 tosystems which are originally designed for achieving 256-bit security against attacks 94 based on Grover's quantum algorithm. It is also predicted that quantum computers 95 will be able to break several of today's cryptographic algorithms that are used to secure 96 communications over the internet, provide root of trust for secure transactions in the 97 digital economy and encrypt data. To protect against attacks from quantum computers, 98 vendors of security products and service providers must constantly assess the risk asso-  quantum computers. There are several candidate approaches for building post-quantum 106 cryptographic schemes as described below in Subsection 3.1 [17], [18], [19].  [20] that is based on a one-time signatures 117 (e.g. the Lamport signature scheme) and uses a binary hash tree (Merkle tree). The MSS 118 is resistant against quantum computer algorithms. More details can be found in this 119 survey on hash-based schemes Butin (2017) [21]. Sphincs+ hash-based signature [22] is 120 chosen as an alternate solution in the outcome of third round of NIST standardisation 121 process.

122
Code-based cryptography 123 Code-based cryptography [23] has its security relying on the hardness of problems More about current state of the multivariate cryptography schemes can be found in the 138 paper of Ding and Petzoldt (2017) [24]. Two multivariate-based signature schemes are 139 chosen in the outcome of third round of NIST. Rainbow [25]  impact of the threat imposed by PQC is also well perceived by the industry professionals.

194
The survey also reveals the industry readiness in the adoption of PQC to be beyond  As per the ten year Market and Technology Forecast Report in [40], a comprehensive 202 study about the prospective markets for PQC products and services has been carried out.

203
The IT industry, cyber security industry, telecommunications industry, financial services 204 industry, healthcare industry, manufacturing industry, PQC in IoT and public sector 205 applications of PQC have been identified as prospective markets for PQC in the report.

206
An elaborate study of how PQC could augment or enhance the functioning of the above 207 industries has been detailed in the report. A ten year forecast of revenue assessment of 208 PQC in each of the above industries is detailed in the said report, which is indicative of 209 the prospective industry market and trend for PQC .         to address key generation and transmission methods that will aid the industry in 309 understanding quantum-safe methods for protecting data through quantum key     [59], [60]Linear codes are linear block codes over an alphabet A = F q , where F q 340 denotes the finite field with q = p l elements l ∈ N x , p prime. The alphabet is often 341 assumed to be binary that is p = 2, l = 1, q = 2, F2= {0, 1}. The encoding of the source 342 bits is done in blocks of predefined length k, giving rise to the name "block code". In 343 code-based Cryptography, only binary codes are considered i.e. codes over F2.

344
The following are the matrices used in code-based cryptography.
and Q is a k × (n-k) matrix (redundant part).

348
• A Parity-Check matrix H of an [n, k] code C is an (n-k) × n matrix H such that 349 C = {c :∈ F n 2 : Hc T = 0}.

350
• Parity-check matrix H is generated from the generator matrix as H = (Q T | I n−k ).

351
Encoding process applies an injective F 2 -linear function f c : F k 2 → F n 2 on an input 352 block of length k. i.e Every codeword can be generated by multiplying a source vector Hence, the matrix G corresponds to a map 354 F k 2 → F n 2 mapping a message of length k to an n-bit string. This encoding process 355 corresponds to encryption in code-based cryptography.

356
The decoding process is about finding the closest codeword x ∈ C to a given y ∈ F n for all codewords y ∈ C given a received F n 2 .

366
• Maximum Likelihood Decoding -Given a received codeword x ∈ F n 2 maximum 367 likelihood decoding (MLD) tries to find the codeword y ∈ C to maximize the 368 probability that x was received given that y was sent. The decoding process corresponds to the decryption in code-based cryptography. In convolutions coding, the coder input and output are continuous streams of digits.

380
The coder outputs n output digits for every k digits input, and the code is described 381 as a rate k/n code. The different types of linear codes used are as follows [61], [ In many applications, the allowed length of the error control code is determined

402
• An (n, k) code is extended by adding an additional parity bit to become a (n + 1, k) 403 code.

404
• An (n, k) code is shortened by deleting any of its information bits to become a 405 (n − 1, k − 1) code.

406
• An (n, k) code is lengthened by adding an additional information bit to become a 407 (n + 1, k + 1) code.

408
• An (n, k) code is expurgated by deleting some of its codewords. Based on the study of the various linear codes, the following relationship between 446 codes have been identified as part of this research work, which are depicted in Fig. 2.

447
The relationship between the special codes are depicted in Fig. 3.  McEliece were built using different linear codes [65]. But, those variants were proven to 456 be susceptible to attacks [18], [66] and only the McEliece built using the Binary Goppa

457
Code is found to be quantum attack resistant till date. Thus, it has also been chosen for

475
A comparison of the latter three signature schemes is provided in Table. 6 [71].   The following are the different types of attacks which the code-based cryptographic 478 algorithms have been subject to [2].   This work provides a comprehensive study and an extension of the chapter "Code-based 535 cryptography" of the book [74].  The most recent survey in the code-based cryptography was published in 2018 [78].

563
In this paper, authors survey on code-based cryptography, essentially for encryption 564 and signature schemes. Authors also provide the main ideas for theoretical and physical 565 cryptanalysis.

567
According to the best of our knowledge, these are the surveys available in the 568 direction of code-based cryptography.

587
In this section, we lay out some of the research directions which have been least 588 explored and still remain as white spaces in the code-based cryptographic research.

589
Though this paper elaborates on both PQC and code-based cryptography, the future Since, we consider encoding from a cryptographic perspective, the following re-644 quirements are to be fulfilled by the code / encoding technique in order to constitute 645 for a complete and secure code / encoding technique. These requirements have already 646 been identified in our earlier work in [80].     Table 7 shows the various requirements for data encoding listed above and the types of From the comparison in table 7, it is observed that more than the linear codes which 705 are presently used in code-based cryptography, the DNA codes provide promising 706 scope to be used for cryptography. This has been described in detail in [80]. Though, 707 research in DNA cryptography is active and the domain has been explored in interesting 708 dimensions, the DNA cryptography has not been proven to be quantum attack resistant.

709
If DNA cryptography is proved to be quantum attack resistant, then it provides for a 710 bio-inspired, best value addition to the field of code-based cryptography. This dimension 711 needs to be explored in further detail. Whereas, the attribute based encryption provides for selective decryption of cipher text 720 based on the fulfillment of attributes by the receiver, the homomorphic encryption en-721 ables to perform computations on the encrypted data itself eliminating the requirement 722 for decryption.

723
In code-based cryptography, only the McEliece cryptosystem has been proven to be 724 somewhat homomorphic [94]. But, attribute based encryption in code-based cryptog-

725
raphy is yet to be explored. Hence, there is a need for lot of research to enable the  q-ary lattices to solve SIS and LWE problems [95]. Linear code of length n and 741 dimension k is a linear subspace F n q which is called a q -ary code. The possibility of 742 using q-ary lattices [96] to implement ternary codes i.e q -ary codes in code-based 743 cryptographic schemes is an unexplored area. It may be noted here that the DNA 744 cryptography is a Quaternary code which has received due exploration from the 745 authors but only needs to be ascertained for its quantum attack resistance. 746 2.
There is a major lattice algorithmic technique that has no clear counterpart for 747 codes, namely, basis reduction. There seems to be no analogue notions of reduction 748 for codes, or at least they are not explicit nor associated with reduction algorithms. 749 We are also unaware of any study of how such reduced bases would help with 750 decoding tasks. This observation leads to two questions.  Also, from the NIST standardization, it has been observed that though code-based 764 cryptography provides scope to be recognized as a complete cryptosystem with the 765 availability of encryption, key exchange and digital signature schemes, unlike its post-766 quantum counterparts which provide for a subset of these. Hence, code-based cryp-767 tography has been explored in detail and the promising research directions that can 768 augment the prospects of code-based cryptography have been identified and described.