This document discusses post-quantum cryptography and code-based cryptosystems as an alternative that is secure against quantum computers. It describes the McEliece cryptosystem, which uses error correcting codes, and introduces staircase generator codes and randomly split staircase generator codes to improve efficiency and security. The randomly split staircase generator codes cryptosystem allows for both encryption and digital signatures using efficient procedures while providing 80-bit security levels against quantum attacks, though it has large key sizes of around 10 megabytes.

1. Post Quantum
Cryptography
With random split of
St-Gen Codes

2. Cryptography
● A very old science that has existed since the roman times.
● Nowadays it is deeply integrated into everyday life.
● Just a few out of many example uses:
○ Securing online sessions (SSL)
○ Present in almost every texting application.
○ The OpenPGP standard for encrypting.
● No longer only concerned with confidentiality of information.
● Digital signatures can provide authentication and integrity.
● Cryptographic onions can be used for anonymity.

3. Cryptography
● Symmetric Cryptography:
○ Makes use of a single key for encryption and decryption
○ Can operate on blocks or streams of bytes
○ Most popular examples are AES, DES, 3DES
● Asymmetric Cryptography:
○ Each party must generate two different key
○ Public key is given out to encrypt incoming messages
○ Private key is kept hidden to be used for decryption
○ Can be used for other primitives such as digital signature
○ Most famous example is the RSA algorithm

4. Cryptographic Problems
Security is achieved through hardness of mathematical problems.
The Factorization Problem:
Given n = pq where p and q are unique prime numbers. Find p and q in polynomial
time.
The Discrete Logarithm Problem:
Given β=αa
, find a in polynomial time.
No efficient classical algorithms exist for either of the two problems.

5. Quantum Computers
● Classical Computers use bits to
store information.
● Always in one of two states at any
point in time (0 or 1).
● In contrast, quantum computers
have Qubits.
● Can be in two states
simultaneously (0 and 1).
● A quantum computer with two
bits can be in and act upon 4
states at the same time.

6. Classical Cryptography Under Quantum
Attacks
● It started with Shor’s algorithm
developed by Peter Shor in 1994.
● Can factorize a composite number
N in polynomial time.
● Demonstrated that public key
cryptography algorithms can be
broken.

7. What now ? (Post Quantum Cryptography)
● We need to update our current cryptographic primitives to be able to deal with
the new threat.
● Fortunately we do not have to start from scratch.
● Cryptographic classes that do not rely on vulnerable mathematical problems
already exist.
○ Code based cryptography
○ Multivariate public key cryptography
○ Lattice based cryptography
○ Hash based cryptosystems

8. Code based cryptography
● Builds on the concepts introduced by
Claude Shannon in 1948.
● Coding theory was developed to be able
to retrieve the original message after
transmission through a noisy channel.
● A concept that is easily adaptable to
cryptography.
● Artificial noise can be applied to a
message to hide its contents.
● The original recipient can recover the
message by knowing additional
information about the encoding scheme.

9. Terminology
● Hamming Weight: The number of
positions which have non zero
characters
Ex: HWeight(0110) = 2
● Hamming Distance: The number of
positions that vary between two
strings
Ex: HDist(0110, 0101) = 2
● Error Correcting Code: An
encoding scheme that attaches
redundant information to a
message, used to recover from
errors.
● Codeword: The encoded vector
outputted by an error correcting
code. A code defines a subspace
over the alphabet containing all its
codewords.

10. Terminology
● Linear Binary Code: Most interesting family of codes used in cryptography.
○ Linear if any linear combination of two codewords, is itself a codeword.
○ Binary if defined over a binary alphabet.
○ Defined by its parameters n and k, written (n,k). n is the length of input vectors and k is the length
of output vectors.
● Generator Matrix: For an (n,k) code C,, a generator matrix is any n x k matrix
that corresponds to the mapping from n-bit vectors to k-bit vectors, according
to the encoding scheme of C.
c = vG

11. The McEliece Cryptosystem
● Code based cryptosystem proposed by McEliece in 1978.
● Many following variations and attempted improvements including Niederreiter
in 1986.
● First successful digital signature scheme is as recent as 2001.
● While requiring some modifications over the years, it remains unbroken after
near 30 years of cryptanalysis.
● Despite faster encryption and decryption procedures, never received much
popularity.
● Key size is 32 KBytes compared to 4096 bits for RSA.

12. The McEliece Cryptosystem
Parameters:
● (n,k) linear code capable of correcting t-errors
● n is the length of the input vector
● k defines the length of encoded vector
● t is restriction set on the error vector
Key Generation:
● Random Invertible k x k matrix S
● Random k x k permutation matrix P
● Random n x k Generator G
● Public key Gpub
=SGP
● Private key (S,G,P)
Encryption:
● Random n-bits vector e of weight t
● C = mGpub
+ e
Decryption:
● y’ = CP-1
● Apply a decoding algorithm to y’ using G to get
y = mS
● m = yS-1

13. Decoding Algorithms
Unique Decoding Algorithms:
● Return only a single answer for the
decoded word
● Restricts the weight of the error vector e
List Decoding Algorithms:
● Can return multiple answers with
different probabilities
● Can correct more errors
● Only interesting if one of the answers has
overwhelming probability

14. Staircase Generator Codes
● In 2014, a new family of linear codes was introduced as staircase generator
codes
● Based on it, a new variation of the McEliece cryptosystem was proposed
including an encryption and signature scheme.
● The new scheme imposes restrictions on the structure of the generator matrix
allowing for more efficient list decoding algorithm.
● It also gives the sender control over the noise generated by the “noisy channel”
by defining two parameters: density and granularity.
● Encryption scheme can be adapted directly into a signature scheme using the
decryption algorithm.

15. Generator Matrix
● For a (n,k) linear binary code, a
generator matrix would have
dimension n x k.
● Each Bi
is a random binary matrix.
● The dimensions of the submatrices
imposes a stepwise random block
structure.
● The stepwise structure allows for
defining a very efficient list
decoding algorithm.

16. Error Sets
● Random errors are good model for communication
channels
● Unnecessary in context of cryptography.
● Error sets give control over artificial noise.
● Arbitrary error sets guarantee list decoding success
with overwhelming probability
Ex: El
= { 00, 01, 10}
● An error vector is taken from the set
El
n
= El
x El
x El
x El
x ….

17. St-Gen Codes Cryptosystem
Parameters:
● (n,k) linear code capable of correcting t-errors
● n is the length of the input vector
● k defines the length of encoded vector
Key Generation:
● Random Invertible n x k matrix S
● Random k x k permutation matrix P. P must
only permute blocks of size l.
● Random n x k Generator G
● Public key Gpub
=SGP
● Private key (S,G,P)
Encryption:
● Random n-bits vector taken from the error set
● C = mGpub
+ e
Decryption:
● y’ = CP-1
● Apply a decoding algorithm to y’ using G to get
y = mS
● m = yS-1

18. St-Gen Codes Cryptosystem
Signing:
● y’ = zP-1
● Apply a decoding algorithm to y’ using G to get
y = mS
● = yS-1
Verification:
● e = Gpub
+ z
● If e is in the error set, then the signature is
accepted.

19. Randomly Split St-Gen Codes
● A successful attack using Information Set Decoding was later demonstrated.
● ISD is a technique to recover the error vector used to encrypt the message.
● Which can in turn be used for practical key recovery.
● Exposing the staircase generator matrix allows for structural attacks.
● To thwart the ISD attack a new idea is introduced to split the public generator
matrix into s randomly generated matrices.
● With the random split, the probability of a successful attack becomes negligible.

20. Randomly Split St-Gen Codes Cryptosystem
Key Generation:
● Random Invertible n x k matrix S
● Random s k x k permutation matrices P1
,P2
, … , Ps
.
● Random n x k Generator G
● Random n x k matrices G1
G2
…Gs-1
● Gs
= G + G1
+ G2
+ … + Gs-1
● Public key Gpub(i)
=SGi
Pi
● Private key (S,G,P1
,P2
, … , Ps
)
Encryption:
● Random n-bits vector taken from the error set
● Ci
= mGpub(i)
+ ei
Decryption:
● y’i
= Ci
Pi
-1
● y’ = ∑i
y’i
● Apply a decoding algorithm to y’ using G to get
y = mS
● m = yS-1

21. Randomly Split St-Gen Codes Cryptosystem
Signing:
● y’i
= Ci
Pi
-1
● y’ = ∑i
y’i
● Apply a decoding algorithm to y’ using G to get
y = mS
● m = yS-1
Verification:
● e = Gpub(i)
+ zi
● If e is in the error set, then the signature is
accepted.

22. Results
● Implementation of both encryption scheme and digital signature scheme in C.
● Extremely fast procedures.
○ Key generation procedure for 80-bits of security: 127.840 seconds
○ Encryption: 0.2 seconds
○ Decryption: 1.500 seconds
● Low cost modifications.
● Both encryption and digital signature schemes use mostly the procedures.
● Signature scheme produces signatures that are very efficient in terms of
space.
● Cons:
○ key size in the order of 10 Kegabytes.

23. Thank you.
Questions ?